Meraki

Community

Client VPN + RADIUS: IP filtering not working

Solved
Miyo360
Getting noticed
‎Nov 14 2019 3:37 AM
‎Nov 14 2019 3:37 AM

Client VPN + RADIUS: IP filtering not working

hi,

 

I followed the guide here 

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

and have successfully setup RADIUS authentication for client vpn users. However, this guide gives full network access to all VPN clients. I would like to limit this to a single server, so I created an IP filter on the NAP Policy > Settings tab

 

IPv4, input filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

IPv4, output filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

 

I apply these changes and login as a VPN client. However, I am still able to access any network resource. I am not limited to just the server above.

 

I know I can create FW rules on the MX itself, but those rules cover the entire client VPN subnet. The plan is to eventually have different fine-grained policies for different user groups.

 

What am I missing?

0 Kudos
1 Accepted Solution
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 14 2019 11:12 AM
‎Nov 14 2019 11:12 AM

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

View solution in original post

0 Kudos
10 Replies 10
ww
Kind of a big deal
Kind of a big deal
‎Nov 14 2019 4:00 AM
‎Nov 14 2019 4:00 AM

if i read correctly the nap policy is client based. so the vpn client needs to understand this. what client do you use?

0 Kudos
In response to ww
Miyo360
Getting noticed
‎Nov 14 2019 4:01 AM
‎Nov 14 2019 4:01 AM

Thanks for the reply.

 

I'm using the Windows 10 built-in client, as documented here

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

0 Kudos
In response to Miyo360
ww
Kind of a big deal
Kind of a big deal
‎Nov 14 2019 4:04 AM
‎Nov 14 2019 4:04 AM

sounds like win10 is not supported:  

 

https://en.m.wikipedia.org/wiki/Network_Access_Protection

0 Kudos
In response to ww
BrechtSchamp
Kind of a big deal
‎Nov 14 2019 4:58 AM
‎Nov 14 2019 4:58 AM

Can't you use L3 firewall rules as described here:

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

0 Kudos
In response to BrechtSchamp
Miyo360
Getting noticed
‎Nov 14 2019 6:51 AM
‎Nov 14 2019 6:51 AM

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 

The only other way to do it seems to be using AD authentication instead of RADIUS. This document covers that setup, so I may investigate that option if I can't get NPS working.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

In response to Miyo360
BrechtSchamp
Kind of a big deal
‎Nov 14 2019 7:33 AM
‎Nov 14 2019 7:33 AM

@Miyo360 wrote:

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 

 

Indeed, that is a limitation of doing it that way.

 

However I'm afraid your idea may not work either. See this note:

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.  

0 Kudos
In response to BrechtSchamp
Miyo360
Getting noticed
‎Nov 14 2019 8:41 AM
‎Nov 14 2019 8:41 AM

🙄 What a pain. 

 

I can't create a 2nd client VPN profile, RADIUS won't work, AD authentication won't work. So I'm out of options on the Meraki/MX side?

 

Urgh. 

0 Kudos
In response to ww
Miyo360
Getting noticed
‎Nov 14 2019 5:11 AM
‎Nov 14 2019 5:11 AM

That link refers to NAP (Network Access Protection).

 

I'm using NPS (Network Policy Server), so does that apply to NPS too...?

0 Kudos
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 14 2019 11:12 AM
‎Nov 14 2019 11:12 AM

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

0 Kudos
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 14 2019 11:13 AM
‎Nov 14 2019 11:13 AM

>That link refers to NAP (Network Access Protection).

 

NAP is deprecated by Microsoft and does not work in newer OSs.  Don't deploy this technology.  If you can get it working because you have old OSs on your servers and clients you will loose the functionality as soon as you upgrade them.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.