Option for MFA When Connecting to Meraki Client VPN?

Solved
eanderson
Here to help

Option for MFA When Connecting to Meraki Client VPN?

Hello,

 

I apologize if there is an answer for this out there that I am missing, and chances are it's fairly obvious, though I am new to Meraki networking. I am wondering if it is possible to implement MFA for users connecting to the Meraki Client VPN via Cisco AnyConnect? 

 

Currently we use a RADIUS server for authentication. If it is possible to deploy this, I am wondering what that process would look like to be able to do so, if there is any documentation or simply an answer someone could provide to help point me in the right direction, it would be much appreciated.

 

Thank you! 😁

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

Another option to the mentioned SAML to Azure is SAML to Duo which is my preferred option, or RADIUS to an internal Duo authentication proxy that authenticates through LDAP and then queries the duo cloud to send the push to the users phone.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

7 Replies 7
Obrez
Here to help

Hello, yes, it is totally possible.  First, you will need to contact support and have them enable SAML auth for anyconnect.  We use Azure MFA, and it is very straight forward using enterprise app for anyconnect.  Let me know if you have questions.

 

cheers!

KarstenI
Kind of a big deal
Kind of a big deal

Another option to the mentioned SAML to Azure is SAML to Duo which is my preferred option, or RADIUS to an internal Duo authentication proxy that authenticates through LDAP and then queries the duo cloud to send the push to the users phone.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
eanderson
Here to help

Thank you for the response! Would you happen to know if the combo for RADIUS to AD FS is available as well? Per the Meraki documentation I see SAML to AD FS is, but unsure if RADIUS is as well.

 

Thanks again!

Obrez
Here to help

You can use Microsoft's NPS to Entra MFA plugin on your NPS server.  We are currently using this at one of our sites because we have many contractors we need to apply firewall rules to (using filter ID).  It has been working well.

 

you can find info here:  Use Microsoft Entra multifactor authentication with NPS - Microsoft Entra ID | Microsoft Learn 

Obrez
Here to help

I forgot to mention, if you are using your current NPS for authentications that you don't want MFA for, you will have to build another exclusive NPS server just for MFA.  It's all or nothing unfortunately.  Let me know if you have questions.

Darren88a
Conversationalist

Hi, would you have any details on setting this up.. I would like to configure this for a deployment, Meraki Anyconnect VPN >  Duo / Entra ID

KarstenI
Kind of a big deal
Kind of a big deal

Start here:

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#SAML_Au...

https://duo.com/docs/sso-meraki-secure-client

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.