Client VPN + RADIUS: IP filtering not working

SOLVED
Miyo360
Getting noticed

Client VPN + RADIUS: IP filtering not working

hi,

 

I followed the guide here 

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

and have successfully setup RADIUS authentication for client vpn users. However, this guide gives full network access to all VPN clients. I would like to limit this to a single server, so I created an IP filter on the NAP Policy > Settings tab

 

IPv4, input filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

IPv4, output filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

 

I apply these changes and login as a VPN client. However, I am still able to access any network resource. I am not limited to just the server above.

 

I know I can create FW rules on the MX itself, but those rules cover the entire client VPN subnet. The plan is to eventually have different fine-grained policies for different user groups.

 

What am I missing?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

View solution in original post

10 REPLIES 10
ww
Kind of a big deal
Kind of a big deal

if i read correctly the nap policy is client based. so the vpn client needs to understand this. what client do you use?

Miyo360
Getting noticed

Thanks for the reply.

 

I'm using the Windows 10 built-in client, as documented here

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

ww
Kind of a big deal
Kind of a big deal

sounds like win10 is not supported:  

 

https://en.m.wikipedia.org/wiki/Network_Access_Protection

BrechtSchamp
Kind of a big deal

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 

The only other way to do it seems to be using AD authentication instead of RADIUS. This document covers that setup, so I may investigate that option if I can't get NPS working.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...


@Miyo360 wrote:

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 


 

Indeed, that is a limitation of doing it that way.

 

However I'm afraid your idea may not work either. See this note:

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.  

🙄 What a pain. 

 

I can't create a 2nd client VPN profile, RADIUS won't work, AD authentication won't work. So I'm out of options on the Meraki/MX side?

 

Urgh. 

Miyo360
Getting noticed

That link refers to NAP (Network Access Protection).

 

I'm using NPS (Network Policy Server), so does that apply to NPS too...?

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

PhilipDAth
Kind of a big deal
Kind of a big deal

>That link refers to NAP (Network Access Protection).

 

NAP is deprecated by Microsoft and does not work in newer OSs.  Don't deploy this technology.  If you can get it working because you have old OSs on your servers and clients you will loose the functionality as soon as you upgrade them.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels