MFA with VPN with no 3rd party paid solution?

CarlosCoque
Here to help

MFA with VPN with no 3rd party paid solution?

Hi Everyone,

 

We currently use Meraki VPN to allow remote users to access the company's internal network.

 

Our VPN users are created directly in Meraki, which means there is no interconnection with MS Active Directory in regards to that.

 

They basically click on the VPN connection, enter their username and password from Meraki, and proceed with the connection.

 

Some users automated that process using a batch file with RASDIAL command and their credentials.

 

Once connected, users can access the company's shared drives normally.

 

We're trying to improve security and wanted to add MFA to that access, so users would need to use an OTP as well.

 

I've been researching on the internet and found only 3rd party paid solutions for that.

 

I was wondering if anyone was able to use MFA to Meraki's VPN at no extra cost.

 

That way, users would use a phone app like Google Authenticator to get the OTP code and do the login process with that.

 

Thanks,

 

Carlos

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal

Meraki client vpn doesn't natively support MFA.

 

You will need to use a 3rd party solution for auth, most if not all of which would be a paid solution in some way. 

 

https://documentation.meraki.com/General_Administration/Other_Topics/Two-Factor_Authentication#Using...

 

If your users have m365 licensees, you could look at RADIUS auth to AD/AAD and using MFA built into AAD.

JamesC_AB
Here to help

As per Brash, you'd need to incorporate RADIUS into your VPN authentication if you want to utilise MFA on Meraki Client VPN. This means you'd also have to migrate your Meraki Cloud Authentication users to some other authentication back end.

I Googled and stumbled on this link which describes in detail a method that could be used "at no extra cost":
https://kb.hillstonenet.com/en/wp-content/uploads/2019/09/SSLVPN-Two-factor-Authentication-with-Goog...

However don't underestimate the cost of your time, and the risk cost associated with a solution that comes without support. That's why we pay for 3rd party paid solutions 😊

CarlosCoque
Here to help

That makes sense.

Which solution do you use for that?

Are you happy with the outcomes?

PhilipDAth
Kind of a big deal
Kind of a big deal

I've done this a million times.

 

I'd recommend buying some Cisco AnyConnect licences (which are cheap IMHO) and changing over to using that.  Then enable SAML authentication against something like Office 365.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication 

CarlosCoque
Here to help

We're ongoing with our quest to improve security on our Meraki VPN access.

 

Based on the opinions on this thread, I ended up agreeing that we need a 3rd party solution in order to have 2FA for the VPN access.

 

The next step in our internal discussion would be to restrict the VPN connections based on the MAC address of the laptops the company provides the employees.

 

I was researching about that, but haven't found anything yet.

 

Does anyone know if that is possible?

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know of anything that will restrict VPN access by MAC address, but you can restrict access to authorised devices.

 

I don't think this works "right now", but it shouldn't be far away.

 

You will have to use Cisco AnyConnnect with SAML authentication against Duo.  At the moment, AnyConnect uses its internal web browser to process the authentication, but I believe this is being replaced by an external browser soon.

If you use Cisco AnyConnect, and SAML authentication against Cisco Duo, then you can use Duo Trust.

https://duo.com/product/device-trust 

 

With Duo Trust you can create rules to only allow trusted devices.  One of the trust requirements you can specify is that a device must be "healthy".

https://duo.com/docs/device-health 

 

One of the health requirements you can specify is that a machine must have a registered GUID in Duo (which is like MAC address but more secure).  If you do this, then you can say only registered machines can log in via VPN.

https://duo.com/docs/trusted-endpoints-generic-device-health 

 

 

If you only use the trusted devices it might even work now with the AnyConnect embedded browser now - I don't know.  I haven't used it in such a limited scope.  But wider health policies, like requiring machines to have specific patches, be running antivirus, etc, will definitely need the AnyConnect external browser support.

 

 

You need to have a Duo Beyond plan to get the above features.

https://duo.com/editions-and-pricing 

PhilipDAth
Kind of a big deal
Kind of a big deal

I just re-tested this, Cisco AnyConnect with SAML against DUO using a trusted device policy to only allow authorised devices to use VPN - and it worked!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels