MX84, Client VPN and who's who

Solved
lmorel
Getting noticed

MX84, Client VPN and who's who

We have a MX84. Running 15.26 at the moment. It is also enabled for Client VPN service, AD and RADIUS, all implemented by using Meraki documentation off their website. It's working, except for the occasional broken UI in Windows 10 (showing as "Connecting...." but doesn't connect) when a user try to connect via VPN and we end up opening the VPN full menu in Action Center and connect fine from there. It is what it is and hoping for AnyConnect support soon (May 2020 from what I've read on another post around here???)

 

With that said, I am trying to verify who's who when my user connect via Client VPN. I know RADIUS is in place and works as designed, but if for some reasons the preshared key is stolen/compromised for that VPN profile AND one of my users credentials are compromised as well, anyone can recreate this VPN connection and get into our network. It might be a lot of "if"s for some and unacceptable for others. What would you do? I looked into Duo and I am supposed to have a conf call with them tomorrow. I looked at Okta (combined with ScaleFT ?), SaaSPass, etc. So I know I could use MFA. We only use Office 365 E3 as "other online services". I could use MFA there for "free" and spend a little bit of money with Duo for the client VPN. Or is there another way to approach this? What if I can find a way to make my device a zero trust device. Meaning I would have a way to trust my device and not even bother my users with MFA challenge? We had stolen laptops before and users report them stolen ASAP. I can see that could be a problem but "hoping" the users wouldn't put their password on a post-it with that stolen password. I know, wishful thinking. But in the end, what to do. Why not MFA with Duo, you ask? Because some of my users are just not there (I know they should). So I am trying really hard to design a system where I would rely on zero trust (so I trust my joined AD devices) as a condition, the user AD credentials, the client VPN with preshared secret, RADIUS and my MX84. 

 

Correct me if I'm wrong, the RADIUS setup for Meraki Client VPN is to control a group of users in AD who will be permitted to use/connect to the corporate group, but not to control what PC will be accessing that same corporate network?

 

I also saw a post around here from @Nash and his excellent script. What caught my eye was "Prevent Windows from authenticating to network resources with the VPN credential.". I guess that's super important based on what I am discussing here and trying to get a better grip on security.

 

I can use my VPN profile and quickly set up an android phone that has no relationship whatsoever with my AD and corporate network, yet it connects just fine. Or use a freshly loaded Windows 10 laptop, NOT part of AD, just WORKGROUP and also connects just fine. Meaning they are passed my firewall and possible chaos would ensue.

 

I am also trying out the Enterprise Mobility + Security E3 (https://www.microsoft.com/en-us/licensing/product-licensing/enterprise-mobility-security) and I have an Intune Connector for Active Directory configured on one of my server for on-premise AD.

 

I apologize for the long and possibly confusing post. I am poking around and just trying to make sense out of all of this. I think I would be happy if I could have my system verify the device trying to connect to my VPN is actually allowed to do so and bounced if it's not one of my devices. Or MFA it has to be....

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>would that change things a bit for my risk profile and how to approach this

 

It's hard to say for a product that is not released.  We are expecting the AnyConnect support to be IKEv2 only (rather than TLS).  More than likely it wont support AnyConnect's rich array of features.

 

I would say you are going to end up using something like Duo.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

>showing as "Connecting...." but doesn't connec

 

Create a shortcut to rasphone.exe on the users desktop.  It works everytime.

 

>would rely on zero trus

 

You have no choice but to go to MFA, such as Duo.  You are on the right direction.

Based on your risk profile, you should install Duo onto the actual workstations as well for "Windows Logon", so they need MFA to log into the computers.

https://duo.com/docs/rdp 

 

>from @Nash and his excellent script.

 

Her.

lmorel
Getting noticed

@PhilipDAth Thank you very much! Since I am not in a hurry and provided there will be some new development regarding AnyConnect around may 2020 (I know, I know...), would that change things a bit for my risk profile and how to approach this? Meaning, should I wait and rethink as far as access control goes (zero trust and still using my MX84 for VPN client access)?

 

@Nash I would like to apologize, that was rude of me to make assumptions. Thank you @PhilipDAth for correcting me.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>would that change things a bit for my risk profile and how to approach this

 

It's hard to say for a product that is not released.  We are expecting the AnyConnect support to be IKEv2 only (rather than TLS).  More than likely it wont support AnyConnect's rich array of features.

 

I would say you are going to end up using something like Duo.

lmorel
Getting noticed

Out of curiosity, and not saying AlwaysOnVPN is on the table yet, but should I be considering this as another option and move in a different direction/approach?

 

Or should I make a wish and ask Meraki to add support for Machine Groups under NPS to add it as a condition to confirm any PC connecting via VPN is an authorized AD joined device? (as opposed to just use the Windows Groups as a condition). I know, wishful thinking.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Or should I make a wish and ask Meraki to add support for Machine Groups under NPS to add it as a condition to confirm any PC connecting via VPN is an authorized AD joined device?

 

It is not an issue on the Meraki side.

 

The Microsoft VPN client (L2TP over IPSec) uses PAP for authentication, and does not pass the name of the machine where the authentication is happening.

You need Microsoft to change their client to send this information.

 

lmorel
Getting noticed

Thank you very much @PhilipDAth 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels