Duo Authentication Proxy and Client VPN

Beezo
New here

Duo Authentication Proxy and Client VPN

Hi all,

 

I've hit a roadblock in my Duo Auth Proxy deployment. On a basic level, I have multiple sites using Meraki's Client VPN that previously authenticated using AD and an NPS to pass through a fliter-id to Meraki, determining which group policy to apply to the client.

 

The issue enters with the Duo Auth Proxy. Duo's documentation would have me believe that Meraki's Client VPN configuration should point to my Duo Auth Proxy server as the RADIUS server. This server sits between my Meraki MX device and my NPS: Client -> Meraki Site -> Duo Auth Proxy -> NPS.

 

The problem with this configuration is that all connection requests coming in to my NPS are received from the Duo Auth Proxy RADIUS client. This means I cannot use the site's IP/Client Friendly Name as a filter for my NPS network policies. I have configured the Duo Auth Proxy to pass through all RADIUS attributes, but this fails to pass through the RADIUS Client information.

 

Does anyone have a recommendation for this situation? Perhaps a custom RADIUS attribute I can add in Meraki for each site to pass or a different configuration I can test out?

 

Thanks!

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

>This means I cannot use the site's IP/Client Friendly Name as a filter for my NPS network policies

 

I've never tried creating NPS policies that way - and you ar right; that method won't work.  What I have done is match on AD groups and that works fine.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels