Meraki

Community

Meraki VPN Client - Azure MFA

Solved
nikma
Here to help
‎May 24 2019 1:53 AM
‎May 24 2019 1:53 AM

Meraki VPN Client - Azure MFA

Hi,

 

I am very new to meraki and I dont have experience with these products but I hope I am on the right place to get some help. We need to implement VPN client for our users with meraki firewalls and implement also 2FA with azure. We have this competence to do this, but we are lacking on the meraki competence. Is there anyone who can guide me to achieve this?

 

BR Nikma

0 Kudos
1 Accepted Solution
In response to nikma
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 26 2019 11:51 PM
‎May 26 2019 11:51 PM

2. Yes

 

Everything else is correct.

View solution in original post

0 Kudos
10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 24 2019 2:06 AM
‎May 24 2019 2:06 AM

You need to deploy NPS with the MFA plugin. 

In response to PhilipDAth
nikma
Here to help
‎May 24 2019 2:13 AM
‎May 24 2019 2:13 AM

Hi,

 

Thank you Philip for your response! So we enable Client VPN on the meraki dashboard, we choose an IP range under Client VPN Subnet (does this mean that this is the range that the client will be assigned IP addresses from?). We specify then the dns server which will be used, the secret and the authentication method which in our case will be Radius! The radius server will be a NPS server and the Azure MFA extension will be installed on this server!

 

Do I have a good framework from which to start?

 

BR Nikma

0 Kudos
In response to nikma
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 24 2019 11:48 AM
‎May 24 2019 11:48 AM

That is exactly right.

 

I would describe Azure MFA as only "just" capable of such configurations.  The debugging is poor to non-existant.  There are few configurable options.  But it does work.

0 Kudos
In response to PhilipDAth
nikma
Here to help
‎May 26 2019 11:25 PM
‎May 26 2019 11:25 PM

All right Philip! We will investigate further regarding the MFA solution but as for now we have decided to use Azure MFA!

 

What do you think about the configuration on the meraki itself! Do we have anything else to do beside these points down:

 

1. We enable Client VPN on the meraki dashboard,

2. We choose an IP range under Client VPN Subnet (does this mean that this is the range that the client will be assigned IP addresses from?),

3. We specify then the dns server which will be used, t

4. We specify the secret and the authentication method which in our case will be Radius! The radius server will be a NPS server and the Azure MFA extension will be installed on this server!

 

And in the end we probably should create a policy to accept this kind of traffic inside the coorporate network!

In response to nikma
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 26 2019 11:51 PM
‎May 26 2019 11:51 PM

2. Yes

 

Everything else is correct.

0 Kudos
In response to PhilipDAth
nikma
Here to help
‎May 26 2019 11:52 PM
‎May 26 2019 11:52 PM

Thank you Philip! I appreciate your help really 🙂

0 Kudos
In response to nikma
RichardChen1
Getting noticed
‎May 5 2020 6:02 PM
‎May 5 2020 6:02 PM

Hi @nikma @PhilipDAth ,

 

I have a similar request here. Our client prefers Azure MFA over DUO.

 

I managed to find the guide to setup Azure MFA

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

 

Could you please let me know where to find the hands-on guide +NPS setup?

0 Kudos
kevUK
Here to help
‎Dec 9 2021 7:45 AM
‎Dec 9 2021 7:45 AM

Just out of Curiosity I have a couple of questions about this. When a user initiates a connection to the client VPN, do they just get a Microsoft authentication box appear? The second question is about the few Windows 7 laptops that are still in use (for now). Does this work with those?

0 Kudos
In response to kevUK
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2021 10:56 AM
‎Dec 9 2021 10:56 AM

It uses the Windows client VPN built into Windows.  So you get the normal Windows username/password prompt.  The user then gets a push notification to their device to approve or reject the connection.

 

The user does not get the Office 365 authentication box.

kevUK
Here to help
‎Dec 9 2021 11:01 AM
‎Dec 9 2021 11:01 AM

Fantastic. Thanks so much for the prompt reply

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.