Meraki VPN Client - Azure MFA

Solved
nikma
Here to help

Meraki VPN Client - Azure MFA

Hi,

 

I am very new to meraki and I dont have experience with these products but I hope I am on the right place to get some help. We need to implement VPN client for our users with meraki firewalls and implement also 2FA with azure. We have this competence to do this, but we are lacking on the meraki competence. Is there anyone who can guide me to achieve this?

 

BR Nikma

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

2. Yes

 

Everything else is correct.

View solution in original post

10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to deploy NPS with the MFA plugin. 

nikma
Here to help

Hi,

 

Thank you Philip for your response! So we enable Client VPN on the meraki dashboard, we choose an IP range under Client VPN Subnet (does this mean that this is the range that the client will be assigned IP addresses from?). We specify then the dns server which will be used, the secret and the authentication method which in our case will be Radius! The radius server will be a NPS server and the Azure MFA extension will be installed on this server!

 

Do I have a good framework from which to start?

 

BR Nikma

PhilipDAth
Kind of a big deal
Kind of a big deal

That is exactly right.

 

I would describe Azure MFA as only "just" capable of such configurations.  The debugging is poor to non-existant.  There are few configurable options.  But it does work.

nikma
Here to help

All right Philip! We will investigate further regarding the MFA solution but as for now we have decided to use Azure MFA!

 

What do you think about the configuration on the meraki itself! Do we have anything else to do beside these points down:

 

1. We enable Client VPN on the meraki dashboard,

2. We choose an IP range under Client VPN Subnet (does this mean that this is the range that the client will be assigned IP addresses from?),

3. We specify then the dns server which will be used, t

4. We specify the secret and the authentication method which in our case will be Radius! The radius server will be a NPS server and the Azure MFA extension will be installed on this server!

 

And in the end we probably should create a policy to accept this kind of traffic inside the coorporate network!

PhilipDAth
Kind of a big deal
Kind of a big deal

2. Yes

 

Everything else is correct.

nikma
Here to help

Thank you Philip! I appreciate your help really 🙂

RichardChen1
Getting noticed

Hi @nikma @PhilipDAth ,

 

I have a similar request here. Our client prefers Azure MFA over DUO.

 

I managed to find the guide to setup Azure MFA

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

 

Could you please let me know where to find the hands-on guide +NPS setup?

kevUK
Here to help

Just out of Curiosity I have a couple of questions about this. When a user initiates a connection to the client VPN, do they just get a Microsoft authentication box appear? The second question is about the few Windows 7 laptops that are still in use (for now). Does this work with those?

PhilipDAth
Kind of a big deal
Kind of a big deal

It uses the Windows client VPN built into Windows.  So you get the normal Windows username/password prompt.  The user then gets a push notification to their device to approve or reject the connection.

 

The user does not get the Office 365 authentication box.

kevUK
Here to help

Fantastic. Thanks so much for the prompt reply

Get notified when there are additional replies to this discussion.