Meraki

Miyo360 · ‎Nov 14 2019

hi,

I followed the guide here

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

and have successfully setup RADIUS authentication for client vpn users. However, this guide gives full network access to all VPN clients. I would like to limit this to a single server, so I created an IP filter on the NAP Policy > Settings tab

IPv4, input filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

IPv4, output filter, permit only, destination address = 192.168.100.40, mask = 255.255.255.255

I apply these changes and login as a VPN client. However, I am still able to access any network resource. I am not limited to just the server above.

I know I can create FW rules on the MX itself, but those rules cover the entire client VPN subnet. The plan is to eventually have different fine-grained policies for different user groups.

What am I missing?

PhilipDAth · ‎Nov 14 2019

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy). More specifically it does not support any way to restrict client VPN user access. Zero.

View solution in original post

ww · ‎Nov 14 2019

if i read correctly the nap policy is client based. so the vpn client needs to understand this. what client do you use?

Miyo360 · ‎Nov 14 2019

Thanks for the reply.

I'm using the Windows 10 built-in client, as documented here

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

ww · ‎Nov 14 2019

sounds like win10 is not supported:

https://en.m.wikipedia.org/wiki/Network_Access_Protection

BrechtSchamp · ‎Nov 14 2019

Can't you use L3 firewall rules as described here:

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

Miyo360 · ‎Nov 14 2019

Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

The only other way to do it seems to be using AD authentication instead of RADIUS. This document covers that setup, so I may investigate that option if I can't get NPS working.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...

BrechtSchamp · ‎Nov 14 2019

@Miyo360 wrote:
Re your other comment about using L3 firewall, yes, I could use that but it affects the entire VPN subnet. Using that method it is not possible to filter by user/group.

Indeed, that is a limitation of doing it that way.

However I'm afraid your idea may not work either. See this note:

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Miyo360 · ‎Nov 14 2019

🙄 What a pain.

I can't create a 2nd client VPN profile, RADIUS won't work, AD authentication won't work. So I'm out of options on the Meraki/MX side?

Urgh.

Miyo360 · ‎Nov 14 2019

That link refers to NAP (Network Access Protection).

I'm using NPS (Network Policy Server), so does that apply to NPS too...?

PhilipDAth · ‎Nov 14 2019

Meraki client VPN functionality when used with RADIUS does not support ACLs or Filter-Id (for applying group policy). More specifically it does not support any way to restrict client VPN user access. Zero.

PhilipDAth · ‎Nov 14 2019

>That link refers to NAP (Network Access Protection).

NAP is deprecated by Microsoft and does not work in newer OSs. Don't deploy this technology. If you can get it working because you have old OSs on your servers and clients you will loose the functionality as soon as you upgrade them.

Meraki

Community

Client VPN + RADIUS: IP filtering not working

Client VPN + RADIUS: IP filtering not working