Meraki

Community

Integrating Okta with Meraki VPN – Restrict VPN Access to Active Okta Users Only

Roey1984
Building a reputation
‎Mar 25 2025 5:32 AM
‎Mar 25 2025 5:32 AM

Integrating Okta with Meraki VPN – Restrict VPN Access to Active Okta Users Only

Hi everyone,

Our company uses Cisco Meraki MX, MR, and MS devices, and we rely on Okta as our Identity Provider (IdP).

We currently use the built-in Client VPN feature in Meraki Dashboard (not AnyConnect), and from time to time, users request VPN access to connect remotely to their office machines.

We’re looking to understand if it’s possible to:

👉 Restrict Client VPN access only to users who have an active Okta account.

Specifically, we’d love help with the following:

  • Can the Meraki Client VPN be integrated with Okta, directly or indirectly?

  • Is there a way to use RADIUS or another method to connect Meraki’s Client VPN authentication with Okta?

  • What’s the recommended way to enforce that only currently active Okta users can authenticate to the VPN?

  • We’d prefer to avoid managing separate VPN user credentials, and instead rely on Okta’s authentication (ideally with MFA too).

  • If a user is deactivated in Okta, we want their VPN access to stop working automatically.

If anyone has implemented something similar or has guidance on best practices, we’d really appreciate your insights.

Thanks!

Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
‎Mar 25 2025 5:36 AM
‎Mar 25 2025 5:36 AM

Meraki's Client VPN does not natively support direct integration with Okta, but, you can achieve this integration indirectly using RADIUS.

 

Okta RADIUS Integrations | Okta Classic Engine

Client VPN Overview - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
‎Mar 25 2025 5:40 AM
‎Mar 25 2025 5:40 AM

Another option is to use AnyConnect VPN Okta SAML.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication/AnyConn...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Mar 25 2025 5:43 AM
‎Mar 25 2025 5:43 AM

You will need Apex licensing.
alemabrahao_0-1742906583929.png

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Licensing_o...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Roey1984
Building a reputation
‎Mar 25 2025 6:00 AM
‎Mar 25 2025 6:00 AM

I noticed that I need a license indeed, which we dont have.

I need to check the pricing and if its worth investing in it, since we dont have production in house, and the only usage of this VPN would be to grant user access to their machine.

 

I`ll check the Radius option, but it would also apply to the connectivity of the users to the MR (WIFI) which we dont want.

we only want to grant \ deny access to the VPN aspect based on Okta membership

Roey1984_0-1742907503341.png

 

0 Kudos
In response to Roey1984
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 25 2025 10:42 AM
‎Mar 25 2025 10:42 AM

@Roey1984 , if it is any consolation, I do a lot of client VPN deployments, and 99% of them are using SAML these days.  It is just better.

You would certainly be using SAML if you were modernizing your VPN or starting from greenfields.  This would be just bringing you back into industry accepted best practice.

0 Kudos
In response to PhilipDAth
Roey1984
Building a reputation
‎Mar 26 2025 5:30 AM
‎Mar 26 2025 5:30 AM

Hey Philip

Thank you for responding!

Regarding the SAML, how do you achieve that? using RADIUS? 

Cisco Meraki Client VPN does not natively support SAML...

any tips would be helpful 🙂 

0 Kudos
In response to Roey1984
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 26 2025 11:30 AM
‎Mar 26 2025 11:30 AM

RADIUS is a protocol.  SAML is a protocol.  They are different protocols.  You use SAML with a SAML provider, like Okta.  AnyConnect supports SAML.  Windows client VPN does not support SAML.

 

Everyone is using AnyConnect+SAML these days.

0 Kudos
In response to PhilipDAth
Roey1984
Building a reputation
‎Mar 27 2025 1:17 AM
‎Mar 27 2025 1:17 AM

thank you Philip!

Now i understand.

So i would be needing to confgiure any RADIUS if i plan to use the SAML with okta, that is good!

I would need to upgrade our license to use AnyConnect if that is the case

thank you again!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.