Feature Request: Apply group policies to Client VPN

MillerJ
Conversationalist

Feature Request: Apply group policies to Client VPN

We love the Group Policy feature that allows us to apply traffic shaping, firewall rules, and bandwidth restrictions to certain VLAN's, clients, or users. Unfortunately it is not possible to apply group policies to client vpn! This seems like a huge oversight and we would love for this option to be made available.

21 REPLIES 21
MRCUR
Kind of a big deal

You can set the group policy of client VPN connections. Select the connection under network wide - clients and then you can set the policy directly on the connection. 

 

This isn't automated, but it is possible today. 

MRCUR | CMNO #12
PhilipDAth
Kind of a big deal
Kind of a big deal

This isn't a great fix @MRCUR.  For a start, you can't apply the policy until the user has connected (so you can see them).

Next if they connect rarely (say annually to provide support) and they age out, you have to re-apply that policy, but only after they have connected.

 

The policy needs to be applied at the user level, before they connect.

 

I tried applying a policy using RADIUS and the Filter-ID attribute (that other bits of Meraki kit use) but alas it ignored it.  We really need Filter-Id RADIUS support as well.

MRCUR
Kind of a big deal

@PhilipDAth I'm not saying it's a great fix. But it is an option today which is better than no option at all. 

MRCUR | CMNO #12
Ahoste
Getting noticed

Hi,

is there still no solution to this?
we use meraki authentication for VPN access and there still seems no pre-applied policy available.

in the client list however the already connected clients are visible.

Like you suggested I applied a policy to that user once logged in. but the grouppolicy is not overriding the layer 3 policies on the client vpn page.

Did this ever work on your network?
cheers

Hoffmaster1224
Here to help

Where are we on this? I wanted to move from the ASA to this device, I can't because I can't restrict them.  I can't believe this isn't a feature at this point.

GiacomoS
Meraki Employee
Meraki Employee

Hey guys,

 

Have you tried creating the clients via mac address and applying the policy prior to the client creation? 

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Pre-configure_Network_Policy_f...

 

Thanks!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
PhilipDAth
Kind of a big deal
Kind of a big deal

How do you find the MAC address for a VPN client?

Hey @PhilipDAth , 

 

I would expect to have to request it from the client itself (e.g.: ipconfig) . The only thing I haven't tried is if the MX is going to recognise it, as it normally reports the VPN clients from an IP perspective rather than a mac (which I assume is what you were getting at). 

 

It would be interesting to try it out.

 

Cheers!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Fady
Meraki Employee
Meraki Employee

Hi @MillerJ

 

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request. I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements. 

done!
WarrenG
Getting noticed

We desperately need this feature too. We have a situation where a client has asked us to block access to company email (Office 365) for all employees after hours. They use a range of devices both internally and externally to access their email. Neither Microsoft nor any other third party vendors (I've asked Okta, Duo, Jumpcloud, Onelogin etc) offer any kind of schedule-based access. The best shot I have (had??) at a solution is to require all Office 365 traffic to originate from the corporate IP address. In order to accomplish this we would require all devices to VPN into the corporate network first in order to access email. From there we could implement a Group Policy with a schedule and URL blocking and apply it to all clients, except that Meraki DOESN'T SUPPORT GROUP POLICY FOR CLIENT VPN!!!! C'mon guys, you have a shot here at being frikkin heroes. Yes, I've submitted a request via the Make A Wish button too.

PhilipDAth
Kind of a big deal
Kind of a big deal

You could try using the Office 365 API (known as the Graph API).  It looks like you could use the "Update User" method, and either set accountEnabled to true (at beginning of the day) or false (at the end of the day).

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_update

 

The schedule a script in the morning to enable accounts and in the evening to disable accounts.

 

 

If you are using the DirSync connector you could also just set the attribute in Active Directory morning and night and let it replicate.

loftmyndCH
Here to help

Where are we with this Ticket @meraki_ -- any solutions? i have pushed a wish in the dashboard... we need to give different vpn users different access - if we can apply group policies to client vpn users, our problem is solved - but now everyone sees everything. thats very unsafe!!

neonbronze
New here

Any updates on this? It's been almost three years since it was submitted as a feature request...

 

We're currently implementing the workaround described above, where you wait for the client to connect and then assign the group policy to the client device, but this is a really hacky solution that ends up being way more labour intensive than being able to simply add the VPN user accounts to the group policy.

This feature is available in the new AnyConnect client support (you can specify both a default group policy for all AnyConnect users and do per-user overrides with RADIUS).  With AnyConnect being so much better - I can't see any work being done on the old client VPN anymore.  Also, AnyConnect is not very expensive.

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies 

@PhilipDAth , do you know if you can support MFA w/ AnyConnect?  

 

CptnCrnch
Kind of a big deal
Kind of a big deal

Yes, though not natively. With Duo for example, this is being handled by their AuthProxy component acting as the RADIUS server:

https://duo.com/docs/cisco

Yeah, ok. Too bad!  Doesn't that duo setup require running an on-prem server for that proxy?

CptnCrnch
Kind of a big deal
Kind of a big deal

Yeah, it requires the so called "Authentication Proxy" that connects your user login (via RADIUS), your AD and Duo cloud.

 

But it's the same thing with NPS (whoever actually wants to use this piece of software). You'll get a Plugin that enables you to use Azure MFA.

would be nice if there will be a solution without an external Radius-Server

SAML support is available, but you need to call Meraki support to have them enable it for the client VPN. That allows you to Auth straight to Duo, Okta, AzureAD, etc, without the RADIUS server.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

 

I'm still not sure of what kind of policy control you'd be able to apply, though.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels