I have seen a couple of messages lightly touch on the topic of Active Directory security groups, but they did not convey the exact information I am seeking. Is it possible to use an Active Directory security user group as an additional layer of security in combination with the Meraki client VPN and DUO MFA's radius server? I have used Cisco AnyConnect and FortiGate in the past, and granting access to the VPN was done by adding a user account into an Active Directory security group. It was basically a third layer of security. Thank you in advance.
Solved! Go to solution.
That is the most typical configuration.
You can also enable additional methods like TXT authentication, DUo token authentication, etc.
I will assume you are using the Windows client VPN and RADIUS to Duo.
The answer is yes, and there is more than one way.
If you use LDAP between the Duo auth proxy and Active directory, then use the "security_group_dn" option.
https://duo.com/docs/authproxy-reference
If you are using RADIUS between the Duo auth proxy and Windows NPS, you can have Windows NPS directly check for the user being a member of an AD group.
And to leave you with something to thing about - I rarely do these kinds of configs anymore. For all new installs I use Cisco AnyConnect and SAML authentication. Cisco AnyConnect is an additional licence, but not that expensive.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication
In the case of Duo, all plans come with Duo Central, and you can authenticate directly against that.
When you create your SAML app in Duo you can specify a group that is allowed to use AnyConnect.
https://duo.com/docs/using-groups#using-groups-to-manage-application-access
Some cool things you can do with SAML and Duo:
Apart from the user auditing and reporting, all the other things can only be done using SAML authentication.
I would mention that you can also SAML authenticate against Office 365 - but you said you wanted to match on a group - and you can't do that with Azure AD (you have to authorize each individual user).
Hello PhilipDAth,
I do have another question regarding DUO and SAML. Can this configuration also work with the DUO app on a phone and allow the user to answer yes or no to approve the sign-on?
That is the most typical configuration.
You can also enable additional methods like TXT authentication, DUo token authentication, etc.
Thank you once more! This helps a bunch.
PhilipDAth, thank you for all the information. Yes, I am currently working with the Windows native VPN client. Thanks for the additional information on AnyConnect. This appears to be a good option too. The next step will be the deployment of the client application. We are not using Azure.