cancel
Showing results for 
Search instead for 
Did you mean: 

MX64W VPN Connection with 2 Factor Authentification

SOLVED
Comes here often

MX64W VPN Connection with 2 Factor Authentification

Hi All,

 

In our company we have a requirement directly related about the VPN functionality.

 

We require a VPN connection when one employee or more are out of the office and needs to access to the local resources, using an username and password (in the VPN Client), that credentials needs to be the same as added in the Active Directory. Also to complete the logIN action, the device needs to activate a two factor authentification, using a token RSA or Duo Mobile or other third party application. In total the number of employees are 15.

 

Considering that, the device Cisco Meraki MX64W can accomplish that ?

 

Thanks for quick response, 

Joel

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

Yes, you could use either an MX64W, or my preference, an MR64 with an MR33.  The standalone access points are much better - but there is an extra cost.

 

You would need to deploy the NPS server on your existing server.  You would then need to deploy the DUO proxy on the same server. It's going to be complicated, because NPS and DUO will want to use the same ports, so you are going to have to re-configure one of them to use non-standard ports.

https://duo.com/docs/authproxy_reference

 

If you haven't done this before and are not familiar with RADIUS then I would get someone in to help you.

12 REPLIES 12
Head in the Cloud

Re: MX64W VPN Connection with 2 Factor Authentification

I have not done it myself, but my understanding is yes, with third party tools and some limitations: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication#Usin...

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

Ok great!, we proceed to read that documentation. The situation here is to use the Active Directory credentials and the 2FA auth for the logIN action

Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

You can use it using Duo and the RADIUS proxy server (which you'll need to deploy on premise).  We have tested it using push notification and it works great.

https://duo.com/docs/radius

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

Ok I see @PhilipDAth, but only as a confirmation that operating mode was implemented in your side in the Cisco Meraki MX64W device¿ or in wich device¿

 

Thanks for your response,

 

Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

I'm confused by your question.  You configure the MX64 to use RADIUS authentication for VPN users.  You point that at the DUO RADIUS proxy (which then points to NPS in Windows).

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

Thank you @PhilipDAth, for your response. Please help too with the next question.

 

In summary what hardware/software we need to implement the VPN solution¿.

 

I have only a server with Windows Server 2012 with the Active Directory service. The users are connected to a one TP-LINK switch. We do not have any type of firewalls/switches/access point CISCO, only we have the default modem-router provided by ISP.

 

An apology for so much questions here.

 

Thanks,

Joel

 

 

Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

How does the MX64W fit into the picture then?

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

One CISCO partner suggest to me to buy that model, but I'm not sure if our requirements will be solved by that device. Can you confirm that? considering your previous observations (RADIUS Server and DUO app).

 

Thanks,

Joel

Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

How many users do you have?

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

15 users.

Kind of a big deal

Re: MX64W VPN Connection with 2 Factor Authentification

Yes, you could use either an MX64W, or my preference, an MR64 with an MR33.  The standalone access points are much better - but there is an extra cost.

 

You would need to deploy the NPS server on your existing server.  You would then need to deploy the DUO proxy on the same server. It's going to be complicated, because NPS and DUO will want to use the same ports, so you are going to have to re-configure one of them to use non-standard ports.

https://duo.com/docs/authproxy_reference

 

If you haven't done this before and are not familiar with RADIUS then I would get someone in to help you.

Comes here often

Re: MX64W VPN Connection with 2 Factor Authentification

Thanks for your help @PhilipDAth please consider this thread closed.

 

Have a great day!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.