Meraki

Community

Meraki MX Secure Client VPN - restrict to one user to one IP?

grebyn86
Here to help
a week ago
a week ago

Meraki MX Secure Client VPN - restrict to one user to one IP?

We have a Meraki MX95 that allows employees to connect int using Secure Client VPN. We are authenticating SAML to Microsoft Azure Entra ID.

 

We are going to add some vendor systems behind a vendor provided router/firewall. I don't know the make/model of the vendor router/firewall yet. But the general idea is, we're going to give the vendor one IP on our network for the router/firewall, their hardware will be walled off from our systems, and we provide them connectivity to router/firewall's IP. How can I restrict one Secure Client VPN user to one IP address? 

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I believe you can do this via Group Policy.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Client...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
grebyn86
Here to help
a week ago
a week ago

@alemabrahao 

Is it possible to do Group Policy in this instance without a RADIUS server? Skimming that article, it says under Group Policies with RADIUS Filter-ID, "this option is only configurable if you are authenticating with a RADIUS server." We're authenticating to SAML to Microsoft Azure Entra ID.

0 Kudos
In response to grebyn86
alemabrahao
Kind of a big deal
Kind of a big deal
a week ago
a week ago

It definitely is, but you would have to apply the Group Policy manually to each client.

 

https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Operate_and_Maintain/H...

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Yes there are some posts on this community where Philip explains how you can use SAML attribute claims to add a SAML attribute named "vpnpolicy" which then contains the string that matches the name of a Meraki group policy.

You will however need to have Meraki support enable the Client VPN SAML group policy feature.

Please refer here: https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/137691

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.