We have a MX84. Running 15.26 at the moment. It is also enabled for Client VPN service, AD and RADIUS, all implemented by using Meraki documentation off their website. It's working, except for the occasional broken UI in Windows 10 (showing as "Connecting...." but doesn't connect) when a user try to connect via VPN and we end up opening the VPN full menu in Action Center and connect fine from there. It is what it is and hoping for AnyConnect support soon (May 2020 from what I've read on another post around here???)
With that said, I am trying to verify who's who when my user connect via Client VPN. I know RADIUS is in place and works as designed, but if for some reasons the preshared key is stolen/compromised for that VPN profile AND one of my users credentials are compromised as well, anyone can recreate this VPN connection and get into our network. It might be a lot of "if"s for some and unacceptable for others. What would you do? I looked into Duo and I am supposed to have a conf call with them tomorrow. I looked at Okta (combined with ScaleFT ?), SaaSPass, etc. So I know I could use MFA. We only use Office 365 E3 as "other online services". I could use MFA there for "free" and spend a little bit of money with Duo for the client VPN. Or is there another way to approach this? What if I can find a way to make my device a zero trust device. Meaning I would have a way to trust my device and not even bother my users with MFA challenge? We had stolen laptops before and users report them stolen ASAP. I can see that could be a problem but "hoping" the users wouldn't put their password on a post-it with that stolen password. I know, wishful thinking. But in the end, what to do. Why not MFA with Duo, you ask? Because some of my users are just not there (I know they should). So I am trying really hard to design a system where I would rely on zero trust (so I trust my joined AD devices) as a condition, the user AD credentials, the client VPN with preshared secret, RADIUS and my MX84.
Correct me if I'm wrong, the RADIUS setup for Meraki Client VPN is to control a group of users in AD who will be permitted to use/connect to the corporate group, but not to control what PC will be accessing that same corporate network?
I also saw a post around here from @Nash and his excellent script. What caught my eye was "Prevent Windows from authenticating to network resources with the VPN credential.". I guess that's super important based on what I am discussing here and trying to get a better grip on security.
I can use my VPN profile and quickly set up an android phone that has no relationship whatsoever with my AD and corporate network, yet it connects just fine. Or use a freshly loaded Windows 10 laptop, NOT part of AD, just WORKGROUP and also connects just fine. Meaning they are passed my firewall and possible chaos would ensue.
I am also trying out the Enterprise Mobility + Security E3 (https://www.microsoft.com/en-us/licensing/product-licensing/enterprise-mobility-security) and I have an Intune Connector for Active Directory configured on one of my server for on-premise AD.
I apologize for the long and possibly confusing post. I am poking around and just trying to make sense out of all of this. I think I would be happy if I could have my system verify the device trying to connect to my VPN is actually allowed to do so and bounced if it's not one of my devices. Or MFA it has to be....
