Meraki

Community

Duo MFA for Meraki Cloud Authenticated users?

Solved
WarrenG
Getting noticed
‎Mar 13 2024 10:27 AM
‎Mar 13 2024 10:27 AM

Duo MFA for Meraki Cloud Authenticated users?

Is it possible to use Duo to require MFA for Meraki Cloud Authenticated users while using Meraki Client VPN? Specifically we need to use the AnyConnect option with Meraki Cloud Authenticated users, but need to be able to protect that connection further with MFA. Is this scenario possible?

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 13 2024 12:33 PM
‎Mar 13 2024 12:33 PM

No.

 

You could use AnyConnect and Duo, and authenticate against Office 365.  I would use this option.

 

You could use a machine running inside of the network running the Duo Auth proxy and configure the MX to do RADIUS against it, and have the auth proxy configured to do MFA only.

This would result in the username+MFA being used, but the password being ignored.

View solution in original post

10 Replies 10
Inderdeep
Kind of a big deal
Kind of a big deal
‎Mar 13 2024 10:36 AM
‎Mar 13 2024 10:36 AM

@WarrenG Check this one out may help 

https://documentation.meraki.com/General_Administration/Other_Topics/Two-Factor_Authentication 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to Inderdeep
WarrenG
Getting noticed
‎Mar 13 2024 10:38 AM
‎Mar 13 2024 10:38 AM

So the answer is no then?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 13 2024 12:33 PM
‎Mar 13 2024 12:33 PM

No.

 

You could use AnyConnect and Duo, and authenticate against Office 365.  I would use this option.

 

You could use a machine running inside of the network running the Duo Auth proxy and configure the MX to do RADIUS against it, and have the auth proxy configured to do MFA only.

This would result in the username+MFA being used, but the password being ignored.

In response to PhilipDAth
WarrenG
Getting noticed
‎Mar 13 2024 12:39 PM
‎Mar 13 2024 12:39 PM

Thanks PhilipDAth. If the answer to my question is no, then that's what I was looking for. I know about the other options, but they are not viable for what I'm needing in this specific case.

JRSac
Comes here often
Saturday
Saturday

So, did you ever get this to work? I would like to do the same - use Meraki cloud authenticated users and an MFA like duo without having to install and maintain a proxy server.

0 Kudos
In response to JRSac
WarrenG
Getting noticed
Saturday
Saturday

No, we ended up going with what I think was a better option for us i.e. authenticating against Microsoft 365 user accounts instead of Meraki cloud user accounts. The benefit of this option is that we can leverage Microsoft's built in MFA as opposed to needing a separate third-party option like Duo.

0 Kudos
JRSac
Comes here often
Saturday
Saturday

Thank you. I will try to research how to do that. We have Microsoft 365 and would need to restrict to a VPN user group.

 

0 Kudos
In response to JRSac
WarrenG
Getting noticed
Saturday
Saturday

The link below should be helpful if that's the way you plan to go. It's pretty slick once you have it up and running 👍

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

 

JRSac
Comes here often
Saturday
Saturday

Thank you. If I can ask, which type of two factor are you using for the client authentication?

0 Kudos
In response to JRSac
WarrenG
Getting noticed
Saturday
Saturday

Yep, we use the two factor authentication that's built into Microsoft 365. You should have MFA enabled for all your users already, but you can also add it as specific requirement for the VPN connections via a conditional access policy that targets the VPN application that you will create in Entra.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.