Meraki Client VPN with DUO MFA Caveat

Getting noticed

Meraki Client VPN with DUO MFA Caveat


I thought I would post this here, and I will cross post on DUO as well in hopes it will save someone some grief.
Background - Client using Meraki Client VPN with DUO, works fine. Client wants to add a new VLAN/Subnet then all of a sudden DUO stops authentication with the new Subnet "IN VPN". If you don't add the new VLAN/Subnet into the VPN it works fine.

Called Meraki support and asked if the IP address (source to Auth Proxy) would change by adding a new VLAN; the answer was no the IP should stay the same.

Took a sniffer trace with and without the new VLAN and found the IP address of the Meraki did change, so we had to add it to the allowed sources in the Auth Proxy config. Then it worked.

Verified with Meraki  (for some unknown reason) that it takes the highest VLAN numbers' IP address as the the SVI for the Meraki Client causing the source IP address of the Auth request to come from the higher IP address.

I hope this makes sense, if not let me know.

1 Reply 1
Kind of a big deal
Kind of a big deal

Hi @Stealth_Network , thanks for the heads up. Always useful when someone else hits an issue before you do in a deployment

Darren OConnor |

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.