I want to restrict 1 VPN user to 2 IP addresses How can I do this?
We replaced our Cisco ASA with a MX provided & supported by our ISP. for multiple reasons. The ASA had 1 VPN account for our HVAC vendor that was restricted to 2 IP addresses. Now I can't seem to get anyone at our ISP to even acknowledge my requests to do this, basically telling me its my problem and restrict them thru Active Directory permissions. We are authenticating the VPN with AD, however these 2 IP addresses are PLC's and do not talk Active Directory. Mostly pleased with the MX, but not very happy that I have to tell the HVAC people they're out of luck. No way am I giving them full network access. Any Ideas?
Another solution. If you use the Cisco AnyConnect client (I'm assuming you are using the Meraki VPN client built into windows at the moment), and you authentication to AD using RADIUS (NPS can do this on Windows server), then you can have NPS send the Filter-Id attribute to dynamically restricting users.
Do other users also use client VPN? If so, the above approach probably wont work (it affects all client VPN users).
What you can do though is create a group policy (perhaps called client-vpn-hvac). In that add the firewall rules to say what they can access (don't forget to put a deny all at the end). Then go to the Network-Wide/Clients list, and find their VPN connection (add in the username column if you haven't got it already turned on). Then assign the group policy to that connection. It will stick for all future connections as well.
Then the restriction will only apply to that one VPN user.