MX64W VPN Connection with 2 Factor Authentification

SOLVED
jfelix
Comes here often

MX64W VPN Connection with 2 Factor Authentification

Hi All,

 

In our company we have a requirement directly related about the VPN functionality.

 

We require a VPN connection when one employee or more are out of the office and needs to access to the local resources, using an username and password (in the VPN Client), that credentials needs to be the same as added in the Active Directory. Also to complete the logIN action, the device needs to activate a two factor authentification, using a token RSA or Duo Mobile or other third party application. In total the number of employees are 15.

 

Considering that, the device Cisco Meraki MX64W can accomplish that ?

 

Thanks for quick response, 

Joel

 

 

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, you could use either an MX64W, or my preference, an MR64 with an MR33.  The standalone access points are much better - but there is an extra cost.

 

You would need to deploy the NPS server on your existing server.  You would then need to deploy the DUO proxy on the same server. It's going to be complicated, because NPS and DUO will want to use the same ports, so you are going to have to re-configure one of them to use non-standard ports.

https://duo.com/docs/authproxy_reference

 

If you haven't done this before and are not familiar with RADIUS then I would get someone in to help you.

View solution in original post

14 REPLIES 14
BrandonS
Kind of a big deal

I have not done it myself, but my understanding is yes, with third party tools and some limitations: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication#Usin...

- Ex community all-star (⌐⊙_⊙)
jfelix
Comes here often

Ok great!, we proceed to read that documentation. The situation here is to use the Active Directory credentials and the 2FA auth for the logIN action

PhilipDAth
Kind of a big deal
Kind of a big deal

You can use it using Duo and the RADIUS proxy server (which you'll need to deploy on premise).  We have tested it using push notification and it works great.

https://duo.com/docs/radius

Ok I see @PhilipDAth, but only as a confirmation that operating mode was implemented in your side in the Cisco Meraki MX64W device¿ or in wich device¿

 

Thanks for your response,

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm confused by your question.  You configure the MX64 to use RADIUS authentication for VPN users.  You point that at the DUO RADIUS proxy (which then points to NPS in Windows).

Thank you @PhilipDAth, for your response. Please help too with the next question.

 

In summary what hardware/software we need to implement the VPN solution¿.

 

I have only a server with Windows Server 2012 with the Active Directory service. The users are connected to a one TP-LINK switch. We do not have any type of firewalls/switches/access point CISCO, only we have the default modem-router provided by ISP.

 

An apology for so much questions here.

 

Thanks,

Joel

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

How does the MX64W fit into the picture then?

One CISCO partner suggest to me to buy that model, but I'm not sure if our requirements will be solved by that device. Can you confirm that? considering your previous observations (RADIUS Server and DUO app).

 

Thanks,

Joel

PhilipDAth
Kind of a big deal
Kind of a big deal

How many users do you have?

15 users.

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, you could use either an MX64W, or my preference, an MR64 with an MR33.  The standalone access points are much better - but there is an extra cost.

 

You would need to deploy the NPS server on your existing server.  You would then need to deploy the DUO proxy on the same server. It's going to be complicated, because NPS and DUO will want to use the same ports, so you are going to have to re-configure one of them to use non-standard ports.

https://duo.com/docs/authproxy_reference

 

If you haven't done this before and are not familiar with RADIUS then I would get someone in to help you.

Thanks for your help @PhilipDAth please consider this thread closed.

 

Have a great day!

is there any opensource that is acting as radius proxy similar to duo which can be used for 2fa??

Fady
Meraki Employee
Meraki Employee

Hi jfelix

 

I have created a short video to show the integration between DUO and MX in case you still looking for the solution.

https://www.youtube.com/watch?v=0kmNsun48Wc&t=20s

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels