Meraki client VPN 2FA

tantony
Head in the Cloud

Meraki client VPN 2FA

Currently, I'm using RADIUS authentication for VPN.  I'm using Active Directory servers as the RADIUS.  I'm using Windows 10 native VPN client also.  So when a user logs in, they open their Windows 10 VPN client, then enter their Active Directory username and password, and if everything is correct, they're connected to VPN.

 

I would like to enable 2FA on the VPN.  If I understand correctly, I cannot do this from the native Windows 10 VPN, but I can do this from AnyConnect?  How exactly would I do this?  So when I user types in their AD credentials, I would like them to enter the correct PIN or something like that as a secondary authentication method.

 

I know I have to use third party vendors such as Duo, RSA, Azure etc. for the 2nd part of the authentication

 

From my research, Duo is the easiest to setup.  Anyone else using RSA or Azure?  The below post says I need to contact Meraki to adjust the timeout settings.

 

https://community.meraki.com/t5/Security-SD-WAN/Using-DUO-for-2FA-how-to/td-p/38442

16 REPLIES 16
PhilipDAth
Kind of a big deal
Kind of a big deal

>I would like to enable 2FA on the VPN.  If I understand correctly, I cannot do this from the native Windows 10 VPN, but I can do this from AnyConnect? 

 

You can use either.  Cisco Duo is particularly easy.  You would install the Duo RADIUS proxy.  You direct the MX to send the RADIUS queries to that instead of NPS.

https://duo.com/docs/meraki-radius 

 

If you don't use NPS for anything else, you could just stop it and run the Duo Auth Proxy in its place.  Otherwise if NPS is used for other things (like WiFi) I commonly install it on the same AD controller as NPS but configure it to use port 1912 instead of 1812, and then both can run on the same box at the same time.

You can configure the Duo Auth Proxy to then forward requests onto NPS on port 1812, or authenticate directly against AD.

Yes, Duo looks easier.  There was a Meraki documentation on setting up 2FA which featured RSA, Microsoft Azure, but I can't find that link.  

 

On my RADIUS server, I'm running NPS on port 1812.  For VPN authentication on AD.  So I should run the Duo Auth Proxy on port 1912 on the same RADIUS server?  I'm actually using 2 RADIUS servers, both also Domain Controllers.

 

Do I need to contact Meraki to do this?  Because I saw something about Meraki need to change the timeout to wait for proxy?  Like I said, I'm using the native Windows VPN client, should I be using AnyConnect if I want to use 2FA?

 

Is there any documentation that shows me the exact steps?

tantony
Head in the Cloud

Am I thinking this correct?  It sounds like I need to contact Meraki directly to enable the timeouts and may be the settings for AnyConnect.

PhilipDAth
Kind of a big deal
Kind of a big deal

>So I should run the Duo Auth Proxy on port 1912 on the same RADIUS server? 

 

That is an easy option.  Note you would normally put one of each AD controller for redundancy.

 

If you want to use the Windows client VPN you will need to ask Meraki support to extend the timeouts (default timeout is 10s).

 

With AnyConnect you can configure it yourself.

 

PhilipDAth_0-1635544092791.png

 

Is there any way to have the 2FA through Azure without needing the Radius server?  We have Azure using Hello as the 2FA, and would like it where when someone connects to the VPN through the windows VPN client, they have to put in the Hello pin.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Is there any way to have the 2FA through Azure without needing the Radius server?

 

No.

If you start with Duo, remove 90% of its capabilities, and then make it twice as difficult, you have something similar to Microsoft MFA.

 

Windows Hello doesn't even support MFA for desktop sign in.

 

Duo does - and we use it.  You can use Duo for your Office 365 and Azure sign in as well.  Basically, you can use Duo to replace the whole crappy Microsoft MFA system on everything.

 

Microsoft MFA is really only good for doing really basic MFA when everything is 100% Microsoft and you are only wanting to protect Microsoft cloud apps.

I'll second this. We use Duo for MFA for Office 365 and Meraki Client VPN currently. Plus you can setup conditional access in Azure AD and apply the Duo MFA for any existing SSO apps you already have setup there.


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

Windows Hello for Business does support MFA, in that it takes 2 factors to set it up.  

 

I have to use Hello for a variety of reasons.

CptnCrnch
Kind of a big deal
Kind of a big deal

Nobody ever said Windows doesn't do MFA. Compared to Duo, it's like coding COBOL to Python though. 😉

PhilipDAth
Kind of a big deal
Kind of a big deal

>Windows Hello for Business does support MFA, in that it takes 2 factors to set it up.  

 

If uses MFA for device enrollment.

 

Beyond that, it does not use MFA.  For example, you can not protect a Windows 10 workstation using Microsoft Authenticator - a second authentication source.

Allowing only a single authentication method - such as PIN - is not two-factor authentication.  It is no better than a password, and in many cases worse, since a PIN is typically weaker than a password.

@PhilipDAth 

Thanks, I'll use port 1912 for Duo Auth Proxy.  Yes, I'm already using both of my DCs as RADIUS for redundancy  .  

rgower
Conversationalist

I have figured out how to use Microsoft 2 factor authentication, RADIUS and use group polices to limit access on the VPN. Without using a 3rd party tool for MFA

PhilipDAth
Kind of a big deal
Kind of a big deal

Using the NPS plug-in?  Expect it to break about every 6 months and to be really hard to fix.

rgower
Conversationalist

I used the NPS plug-in found in this Microsoft article

Use Azure AD Multi-Factor Authentication with NPS - Microsoft Entra | Microsoft Learn

I setup a new 2022 server that I am hosting it on

Then I setup local groups on my on-premise domain server and assigned users to the groups.

I followed Group Policies with RADIUS Filter-ID found at

AnyConnect on the MX Appliance - Cisco Meraki

I discovered that I could not any more than one security group per network policy and the same held true for Attribute information string.

Once I got one group complete, I then just started adding more network policies.

I have discovered that MFA with Microsoft will only work with the authenticator app and the phone call. It will not work with any text message where user needs to enter a code on screen via pop-up. 

I would like to know what broke in roughly 6 months?

PhilipDAth
Kind of a big deal
Kind of a big deal

It tends to stop working (no push notifications).  You'll have to do things like re-install it, mess with certificates and try and debug it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels