Meraki Client VPN w/ 2FA - Radius & Active Directory

viksep
Here to help

Meraki Client VPN w/ 2FA - Radius & Active Directory

H everyone,

 

We have an MX64 and the Client VPN is set for authentication with Meraki cloud and the users setup.

 

I'm trying to set up 2FA via Duo Security but I have some questions:

 

1) I set up the DAP with the following config:

 

[radius_client]
host=X.X.X.X
secret=XXXXXXXXXXX

[radius_server_auto]
ikey=XXXXXXX
skey=XXXXXXXXXX
api_host=XXXXXXXXX
radius_ip_1=XXXXXXXX
radius_secret_1=XXXXXXXXX
client=radius_client
port=1812
failmode=safe

Am I missing configuration for Active Directory in order to authenticate? 

 

I've read this document regarding the RADIUS setup but I am confused when it comes to 'configuring RADIUS clients to use it for authentication'. Which client am I supposed to configure? I am little confused 😕

 

https://duo.com/docs/radius

 

Currently, we have the windows 10 VPN tool setup to the Client VPN endpoint and the only authentication is the stored username and password. I am not sure how to point this endpoint to the DAP.

 

Any help will be greatly appreciated.

 

2 Replies 2
ByronC
Meraki Employee
Meraki Employee

Hi Viksep,

 

While 2 factor authentication is possible with the Meraki Client VPN, it is not directly supported. As mentioned in our documentation,

 

"Client VPN does not natively support two-factor auth, a third-party solution is required for this configuration. As such, please refer to your two-factor auth solution's documentation for additional information and troubleshooting."

- https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication#Usin...

 

I will say however that Duo will not be compatible with Meraki Cloud Authentication. That option simply verifies the username and password stored in dashboard matches what is provided by the end user device. You will need to change the authentication type to RADIUS and add a radius server IP that points to the DAP. That should get you on the right track.

 

If you need any additional assistance with troubleshooting, feel free to contact Meraki Support!

 

 

viksep
Here to help

Hi ByronC,

 

Thanks for your response.

 

I am indeed looking to authenticate via another method, RADIUS or Active Directory, not Meraki Cloud.

 

I've gone as far as setting up the DAP on a server within the network perimeter but I am unsure of the requirements: e.g. if I set the auth method to Active Directory, if I still need a RADIUS server configured and if so, how would I go about proceeding with that setup.

 

Many thanks.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels