cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN + RADIUS: IP filtering not working

SOLVED
Getting noticed

Client VPN + RADIUS: IP filtering not working

hi,

 

I followed the guide here 

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

and have successfully setup RADIUS authentication for client vpn users. However, this guide gives full network access to all VPN clients. I would like to limit this to a single server, so I created an IP filter on the NAP Policy > Settings tab

 

IPv4, input filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

IPv4, output filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

 

I apply these changes and login as a VPN client. However, I am still able to access any network resource. I am not limited to just the server above.

 

I know I can create FW rules on the MX itself, but those rules cover the entire client VPN subnet. The plan is to eventually have different fine-grained policies for different user groups.

 

What am I missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

View solution in original post

10 REPLIES 10
Kind of a big deal ww
Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

if i read correctly the nap policy is client based. so the vpn client needs to understand this. what client do you use?

Getting noticed

Re: Client VPN + RADIUS: IP filtering not working

Thanks for the reply.

 

I'm using the Windows 10 built-in client, as documented here

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

Kind of a big deal ww
Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

sounds like win10 is not supported:  

 

https://en.m.wikipedia.org/wiki/Network_Access_Protection

Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

Getting noticed

Re: Client VPN + RADIUS: IP filtering not working

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 

The only other way to do it seems to be using AD authentication instead of RADIUS. This document covers that setup, so I may investigate that option if I can't get NPS working.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working


@Miyo360 wrote:

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

 


 

Indeed, that is a limitation of doing it that way.

 

However I'm afraid your idea may not work either. See this note:

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.  

Getting noticed

Re: Client VPN + RADIUS: IP filtering not working

🙄 What a pain. 

 

I can't create a 2nd client VPN profile, RADIUS won't work, AD authentication won't work. So I'm out of options on the Meraki/MX side?

 

Urgh. 

Getting noticed

Re: Client VPN + RADIUS: IP filtering not working

That link refers to NAP (Network Access Protection).

 

I'm using NPS (Network Policy Server), so does that apply to NPS too...?

Highlighted
Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy).  More specifically it does not support any way to restrict client VPN user access.  Zero.

View solution in original post

Kind of a big deal

Re: Client VPN + RADIUS: IP filtering not working

>That link refers to NAP (Network Access Protection).

 

NAP is deprecated by Microsoft and does not work in newer OSs.  Don't deploy this technology.  If you can get it working because you have old OSs on your servers and clients you will loose the functionality as soon as you upgrade them.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.