cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Request: Apply group policies to Client VPN

Highlighted
Conversationalist

Feature Request: Apply group policies to Client VPN

We love the Group Policy feature that allows us to apply traffic shaping, firewall rules, and bandwidth restrictions to certain VLAN's, clients, or users. Unfortunately it is not possible to apply group policies to client vpn! This seems like a huge oversight and we would love for this option to be made available.

12 REPLIES 12
Highlighted
Kind of a big deal

Re: Feature Request: Apply group policies to Client VPN

You can set the group policy of client VPN connections. Select the connection under network wide - clients and then you can set the policy directly on the connection. 

 

This isn't automated, but it is possible today. 

MRCUR | CMNO #12
Highlighted
Kind of a big deal

Re: Feature Request: Apply group policies to Client VPN

This isn't a great fix @MRCUR.  For a start, you can't apply the policy until the user has connected (so you can see them).

Next if they connect rarely (say annually to provide support) and they age out, you have to re-apply that policy, but only after they have connected.

 

The policy needs to be applied at the user level, before they connect.

 

I tried applying a policy using RADIUS and the Filter-ID attribute (that other bits of Meraki kit use) but alas it ignored it.  We really need Filter-Id RADIUS support as well.

Highlighted
Kind of a big deal

Re: Feature Request: Apply group policies to Client VPN

@PhilipDAth I'm not saying it's a great fix. But it is an option today which is better than no option at all. 

MRCUR | CMNO #12
Highlighted
Here to help

Re: Feature Request: Apply group policies to Client VPN

Where are we on this? I wanted to move from the ASA to this device, I can't because I can't restrict them.  I can't believe this isn't a feature at this point.

Highlighted
Meraki Employee

Re: Feature Request: Apply group policies to Client VPN

Hey guys,

 

Have you tried creating the clients via mac address and applying the policy prior to the client creation? 

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Pre-configure_Network_Policy_f...

 

Thanks!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Highlighted
Kind of a big deal

Re: Feature Request: Apply group policies to Client VPN

How do you find the MAC address for a VPN client?

Highlighted
Meraki Employee

Re: Feature Request: Apply group policies to Client VPN

Hey @PhilipDAth , 

 

I would expect to have to request it from the client itself (e.g.: ipconfig) . The only thing I haven't tried is if the MX is going to recognise it, as it normally reports the VPN clients from an IP perspective rather than a mac (which I assume is what you were getting at). 

 

It would be interesting to try it out.

 

Cheers!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Highlighted
Meraki Employee

Re: Feature Request: Apply group policies to Client VPN

Hi @MillerJ

 

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request. I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements. 

Highlighted
Here to help

Re: Feature Request: Apply group policies to Client VPN

done!
Highlighted
Here to help

Re: Feature Request: Apply group policies to Client VPN

We desperately need this feature too. We have a situation where a client has asked us to block access to company email (Office 365) for all employees after hours. They use a range of devices both internally and externally to access their email. Neither Microsoft nor any other third party vendors (I've asked Okta, Duo, Jumpcloud, Onelogin etc) offer any kind of schedule-based access. The best shot I have (had??) at a solution is to require all Office 365 traffic to originate from the corporate IP address. In order to accomplish this we would require all devices to VPN into the corporate network first in order to access email. From there we could implement a Group Policy with a schedule and URL blocking and apply it to all clients, except that Meraki DOESN'T SUPPORT GROUP POLICY FOR CLIENT VPN!!!! C'mon guys, you have a shot here at being frikkin heroes. Yes, I've submitted a request via the Make A Wish button too.

Highlighted
Kind of a big deal

Re: Feature Request: Apply group policies to Client VPN

You could try using the Office 365 API (known as the Graph API).  It looks like you could use the "Update User" method, and either set accountEnabled to true (at beginning of the day) or false (at the end of the day).

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_update

 

The schedule a script in the morning to enable accounts and in the evening to disable accounts.

 

 

If you are using the DirSync connector you could also just set the attribute in Active Directory morning and night and let it replicate.

Highlighted
Here to help

Re: Feature Request: Apply group policies to Client VPN

Where are we with this Ticket @meraki_ -- any solutions? i have pushed a wish in the dashboard... we need to give different vpn users different access - if we can apply group policies to client vpn users, our problem is solved - but now everyone sees everything. thats very unsafe!!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.