Meraki

Community

RADIUS vs AD authentication for Client VPN

Solved
tantony
Head in the Cloud
‎Feb 28 2019 10:15 AM
‎Feb 28 2019 10:15 AM

RADIUS vs AD authentication for Client VPN

I'm using Meraki Cloud authentication for VPN, and it's working well.  My question is, what's the difference between RADIUS and Active Directory (AD) authentication for VPN?  I know for AD, the user logs in with their username and password.  What about RADIUS?  Where is the username and password info coming from?  Is that still coming from AD or do I need to create it locally on the Meraki?

 

Also, I know with AnyConnect you could use RSA for 2 factor authentication.  Is there anything for Client VPN?  Right now, we have one VPN account for Meraki cloud authentication, and everyone is using that one account for VPN.  I think it might be better for each users to have their own account.

 

1 Accepted Solution
In response to tantony
Mr_IT_Guy
A model citizen
‎Feb 28 2019 5:35 PM
‎Feb 28 2019 5:35 PM

Correct, you use AD logins even if using RADIUS. RADIUS is used ALONG WITH AD. AD will be where it looks for the users you assign to the policy, but RADIUS is the one that enforces it. Think of it like this:

  • RADIUS is the bouncer outside the VIP room of a club. It has to look at the exclusive list (AD) to see who gets in and who doesn't (i.e. your policy). Just because you can get into the club (i.e you have AD credentials) doesn't mean you can get into the VIP room (you don't match the policy)

As for the Meraki IP you put as the RADIUS client, you would use the private IP. Keep in mind that if you have to go through a VPN tunnel to reach the RADIUS server, your MX IP would be the gateway of your HIGHEST numbered vLAN participating in site-to-site. For example, if you have vLAN setup:

  • vLAN 10 - gateway 192.168.10.1
  • vLAN 17 - gateway 192.168.17.1
  • vLAN 20 - gateway 192.168.20.1
  • vLAN 35 - gateway 192.168.35.1
  • vLAN 52 - gateway 192.168.52.1

and all vLANs are participating in site-to-site, the MX IP would be 192.168.52.1 as that is the highest numbered vLAN. IF vLANs 35 and 52 were NOT participating in site-to-site, then the MX IP would be 192.168.20.1 as vLAN 20 is the highest numbered vLAN.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

11 Replies 11
Mr_IT_Guy
A model citizen
‎Feb 28 2019 11:36 AM
‎Feb 28 2019 11:36 AM

Hi @tantony ,

 

With AD authentication, you will point to one of your DCs for authentication purposes. As long as there is an AD account, the user will be able to connect to the VPN. (Active Directory Integration)

 

With RADIUS, you will point to a RADIUS server for authentication, which allows you to provide a bit more security. You can setup a policy so that only people belonging to a certain AD group (which RADIUS will be pointed to) will be able to connect to VPN. (Configuring RADIUS Authentication with Client VPN)

 

As far as 2FA is concerned, you can use RSA and DUO with the built-in Windows client, although it is limited to the Push or Biometric authentication methods as there is no way to input a code at this time.

 

If you are using Meraki Cloud authentication, you can create multiple accounts for users to use with the VPN. (Managing User Accounts using Meraki Authentication)They do not have to have dashboard access in order to be setup as a VPN user. You should absolutely have individual accounts for each user accessing VPN.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
tantony
Head in the Cloud
‎Feb 28 2019 12:20 PM
‎Feb 28 2019 12:20 PM

Thank you.  When you say RADIUS server, do you mean an actual server or can the MX be a server?  Can I use something like https://jumpcloud.com?

0 Kudos
In response to tantony
jdsilva
Kind of a big deal
‎Feb 28 2019 3:02 PM
‎Feb 28 2019 3:02 PM

The MX cannot be a RADIUS server. It would be external to the MX. You could run it on a dedicated server, or on one of your DC's if you wanted. The Microsoft role for RADIUS you would add is Network Policy Server(NPS). 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
tantony
Head in the Cloud
‎Feb 28 2019 4:15 PM
‎Feb 28 2019 4:15 PM

So if I understand, I have to manually create usernames and passwords for RADIUS. In that case, the user can’t change their passwords unless I change it for them?  

 

I’m not familiar with RADIUS so I could use all help I can get. 

0 Kudos
In response to tantony
tantony
Head in the Cloud
‎Feb 28 2019 4:26 PM
‎Feb 28 2019 4:26 PM

Looks like this explains what I’m trying to do. I guess I can use AD logins even if using RADIUS. Since Meraki is the RADIUS client I have to put its IP address. Do I use the Meraki public IP?  

 

https://youtu.be/KxzqQNMeNlA

In response to tantony
Mr_IT_Guy
A model citizen
‎Feb 28 2019 5:35 PM
‎Feb 28 2019 5:35 PM

Correct, you use AD logins even if using RADIUS. RADIUS is used ALONG WITH AD. AD will be where it looks for the users you assign to the policy, but RADIUS is the one that enforces it. Think of it like this:

  • RADIUS is the bouncer outside the VIP room of a club. It has to look at the exclusive list (AD) to see who gets in and who doesn't (i.e. your policy). Just because you can get into the club (i.e you have AD credentials) doesn't mean you can get into the VIP room (you don't match the policy)

As for the Meraki IP you put as the RADIUS client, you would use the private IP. Keep in mind that if you have to go through a VPN tunnel to reach the RADIUS server, your MX IP would be the gateway of your HIGHEST numbered vLAN participating in site-to-site. For example, if you have vLAN setup:

  • vLAN 10 - gateway 192.168.10.1
  • vLAN 17 - gateway 192.168.17.1
  • vLAN 20 - gateway 192.168.20.1
  • vLAN 35 - gateway 192.168.35.1
  • vLAN 52 - gateway 192.168.52.1

and all vLANs are participating in site-to-site, the MX IP would be 192.168.52.1 as that is the highest numbered vLAN. IF vLANs 35 and 52 were NOT participating in site-to-site, then the MX IP would be 192.168.20.1 as vLAN 20 is the highest numbered vLAN.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
tantony
Head in the Cloud
‎Mar 1 2019 2:38 AM
‎Mar 1 2019 2:38 AM

Thank you. I’m using the native Windows vpn client. So assuming I’m using RADIUS, do I just login with my normal Windows login for example. 

 

Username = mjackson

password = password

 

0 Kudos
In response to tantony
Mr_IT_Guy
A model citizen
‎Mar 1 2019 6:16 AM
‎Mar 1 2019 6:16 AM

That is correct.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to Mr_IT_Guy
tantony
Head in the Cloud
‎Mar 4 2019 11:05 AM
‎Mar 4 2019 11:05 AM

I added the NPS role in the Windows server, and added my laptop as the RADIUS client to test, so far it's working fine.  Only members of the VPN group can VPN.  This is good.

 

Couple of question.  For the port number for RADIUS in Meraki, do I use 1812 or 1645?  Because when I was setting up NPS in Windows, I think it was 1645. 

 

Next question is, I know I'm suppose to use the highest numbered VLAN.  Just to make sure I'm doing this correctly, I have VLANs 2,3 and 4 in the Meraki.  My highest numbered is obvisously VLAN 4, but it's used for a static route to a Juniper firewall.  VLANs 2 & 3 are Meraki networks.  So if I want to access the Juniper network when I VPN, I should use VLAN 4 correct?

0 Kudos
In response to tantony
Mr_IT_Guy
A model citizen
‎Mar 6 2019 1:41 PM
‎Mar 6 2019 1:41 PM

I typically use 1812 as that's the default, but if you used 1645 you would want to match that in the Meraki.

 

As for the vLAN, vLAN 4 would be correct.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
tantony
Head in the Cloud
‎Mar 8 2019 7:18 PM
‎Mar 8 2019 7:18 PM

I had to make some minor changes, but thanks for everyone's help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.