Meraki

Community

Feature Request: Apply group policies to Client VPN

MillerJ
Conversationalist
‎May 4 2018 8:45 AM
‎May 4 2018 8:45 AM

Feature Request: Apply group policies to Client VPN

We love the Group Policy feature that allows us to apply traffic shaping, firewall rules, and bandwidth restrictions to certain VLAN's, clients, or users. Unfortunately it is not possible to apply group policies to client vpn! This seems like a huge oversight and we would love for this option to be made available.

Labels:
21 Replies 21
MRCUR
Kind of a big deal
‎May 4 2018 9:14 AM
‎May 4 2018 9:14 AM

You can set the group policy of client VPN connections. Select the connection under network wide - clients and then you can set the policy directly on the connection. 

 

This isn't automated, but it is possible today. 

MRCUR | CMNO #12
0 Kudos
In response to MRCUR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2018 1:42 PM
‎May 4 2018 1:42 PM

This isn't a great fix @MRCUR.  For a start, you can't apply the policy until the user has connected (so you can see them).

Next if they connect rarely (say annually to provide support) and they age out, you have to re-apply that policy, but only after they have connected.

 

The policy needs to be applied at the user level, before they connect.

 

I tried applying a policy using RADIUS and the Filter-ID attribute (that other bits of Meraki kit use) but alas it ignored it.  We really need Filter-Id RADIUS support as well.

0 Kudos
In response to PhilipDAth
MRCUR
Kind of a big deal
‎May 4 2018 2:12 PM
‎May 4 2018 2:12 PM

@PhilipDAth I'm not saying it's a great fix. But it is an option today which is better than no option at all. 

MRCUR | CMNO #12
In response to MRCUR
Ahoste
Getting noticed
‎Aug 20 2020 10:09 AM
‎Aug 20 2020 10:09 AM

Hi,

is there still no solution to this?
we use meraki authentication for VPN access and there still seems no pre-applied policy available.

in the client list however the already connected clients are visible.

Like you suggested I applied a policy to that user once logged in. but the grouppolicy is not overriding the layer 3 policies on the client vpn page.

Did this ever work on your network?
cheers

0 Kudos
Hoffmaster1224
Here to help
‎Aug 7 2018 1:07 PM
‎Aug 7 2018 1:07 PM

Where are we on this? I wanted to move from the ASA to this device, I can't because I can't restrict them.  I can't believe this isn't a feature at this point.

GiacomoS
Meraki Employee
Meraki Employee
‎Aug 12 2018 6:04 AM
‎Aug 12 2018 6:04 AM

Hey guys,

 

Have you tried creating the clients via mac address and applying the policy prior to the client creation? 

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Pre-configure_Network_Policy_f...

 

Thanks!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
In response to GiacomoS
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 12 2018 12:26 PM
‎Aug 12 2018 12:26 PM

How do you find the MAC address for a VPN client?

0 Kudos
In response to PhilipDAth
GiacomoS
Meraki Employee
Meraki Employee
‎Aug 12 2018 10:41 PM
‎Aug 12 2018 10:41 PM

Hey @PhilipDAth , 

 

I would expect to have to request it from the client itself (e.g.: ipconfig) . The only thing I haven't tried is if the MX is going to recognise it, as it normally reports the VPN clients from an IP perspective rather than a mac (which I assume is what you were getting at). 

 

It would be interesting to try it out.

 

Cheers!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
0 Kudos
Fady
Meraki Employee
Meraki Employee
‎Aug 12 2018 11:14 PM
‎Aug 12 2018 11:14 PM

Hi @MillerJ

 

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request. I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements. 

0 Kudos
In response to Fady
Hoffmaster1224
Here to help
‎Aug 14 2018 6:48 AM
‎Aug 14 2018 6:48 AM

done!
0 Kudos
WarrenG
Getting noticed
‎Oct 1 2018 9:06 PM
‎Oct 1 2018 9:06 PM

We desperately need this feature too. We have a situation where a client has asked us to block access to company email (Office 365) for all employees after hours. They use a range of devices both internally and externally to access their email. Neither Microsoft nor any other third party vendors (I've asked Okta, Duo, Jumpcloud, Onelogin etc) offer any kind of schedule-based access. The best shot I have (had??) at a solution is to require all Office 365 traffic to originate from the corporate IP address. In order to accomplish this we would require all devices to VPN into the corporate network first in order to access email. From there we could implement a Group Policy with a schedule and URL blocking and apply it to all clients, except that Meraki DOESN'T SUPPORT GROUP POLICY FOR CLIENT VPN!!!! C'mon guys, you have a shot here at being frikkin heroes. Yes, I've submitted a request via the Make A Wish button too.

0 Kudos
In response to WarrenG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 1 2018 10:13 PM
‎Oct 1 2018 10:13 PM

You could try using the Office 365 API (known as the Graph API).  It looks like you could use the "Update User" method, and either set accountEnabled to true (at beginning of the day) or false (at the end of the day).

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_update

 

The schedule a script in the morning to enable accounts and in the evening to disable accounts.

 

 

If you are using the DirSync connector you could also just set the attribute in Active Directory morning and night and let it replicate.

0 Kudos
loftmyndCH
Here to help
‎Sep 6 2019 5:10 AM
‎Sep 6 2019 5:10 AM

Where are we with this Ticket @meraki_ -- any solutions? i have pushed a wish in the dashboard... we need to give different vpn users different access - if we can apply group policies to client vpn users, our problem is solved - but now everyone sees everything. thats very unsafe!!

neonbronze
New here
‎Jun 3 2021 10:43 AM
‎Jun 3 2021 10:43 AM

Any updates on this? It's been almost three years since it was submitted as a feature request...

 

We're currently implementing the workaround described above, where you wait for the client to connect and then assign the group policy to the client device, but this is a really hacky solution that ends up being way more labour intensive than being able to simply add the VPN user accounts to the group policy.

0 Kudos
In response to neonbronze
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 3 2021 1:23 PM
‎Jun 3 2021 1:23 PM

This feature is available in the new AnyConnect client support (you can specify both a default group policy for all AnyConnect users and do per-user overrides with RADIUS).  With AnyConnect being so much better - I can't see any work being done on the old client VPN anymore.  Also, AnyConnect is not very expensive.

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies 

In response to PhilipDAth
lpopejoy
A model citizen
‎Jun 4 2021 5:33 AM
‎Jun 4 2021 5:33 AM

@PhilipDAth , do you know if you can support MFA w/ AnyConnect?  

 

0 Kudos
In response to lpopejoy
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jun 4 2021 5:45 AM
‎Jun 4 2021 5:45 AM

Yes, though not natively. With Duo for example, this is being handled by their AuthProxy component acting as the RADIUS server:

https://duo.com/docs/cisco

0 Kudos
In response to CptnCrnch
lpopejoy
A model citizen
‎Jun 4 2021 5:51 AM
‎Jun 4 2021 5:51 AM

Yeah, ok. Too bad!  Doesn't that duo setup require running an on-prem server for that proxy?

0 Kudos
In response to lpopejoy
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jun 4 2021 6:24 AM
‎Jun 4 2021 6:24 AM

Yeah, it requires the so called "Authentication Proxy" that connects your user login (via RADIUS), your AD and Duo cloud.

 

But it's the same thing with NPS (whoever actually wants to use this piece of software). You'll get a Plugin that enables you to use Azure MFA.

0 Kudos
In response to PhilipDAth
Chris144
Comes here often
‎Aug 12 2022 7:39 AM
‎Aug 12 2022 7:39 AM

would be nice if there will be a solution without an external Radius-Server

0 Kudos
In response to Chris144
Seirui
Just browsing
‎Dec 30 2022 10:58 AM
‎Dec 30 2022 10:58 AM

SAML support is available, but you need to call Meraki support to have them enable it for the client VPN. That allows you to Auth straight to Duo, Okta, AzureAD, etc, without the RADIUS server.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

 

I'm still not sure of what kind of policy control you'd be able to apply, though.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.