Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

JordanCNolan
Here to help

Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

I am looking for a way to ensure that only users with domain joined computers can access the VPN.  I am taking a look at the Event Viewer logs for NPS events and see the following are passed in for user and client machine

 

User:

 

  • Security ID: mydomain\myusername
    Account Name: myusername
    Account Domain: mydomain
    Fully Qualified Account Name: mydoamin.com/Active/Users/Last, First

Client Machine:

 

  • Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: m*************8
    Calling Station Identifier: 68.*.*.*

Is there a way to get the Cisco AnyConnect client to pass the Client Machine info into the NPS Radius when it connects to the MX?  

4 REPLIES 4
JohnT
Getting noticed

This could be done with the Cisco ASA and AnyConnect, but I don't believe this feature exists on the Meraki implementation.  I would also be curious if someone has found a workaround for this.  It looks like certificate authentication may be the solution for this.  

Craig_Tompkins
Here to help

I know this is really old, but this is the closest post I've been able to find in what I'm looking for.  @JohnT you mentioned that this was possible with Cisco ASA and Anyconnect.  Can you point me to some documentation?  I can't find any.  I too would like to pass the computer ID so in NPS I can require machine group to equal "Domain Computers".  I'll actually be using this via Firepower, but ASA to Firepower seems to have all the same features, maybe just in different menus.

@Craig_Tompkins It's been many years since I used an ASA, but I believe you had to use a dynamic access policy (DAP) that inspects the registry on the local host.  It won't pass the computer name via radius, but rather it communicates directly with the firewall to dynamically assign the policy based on the host posture.

 

This link may point you in the right direction.

https://community.cisco.com/t5/vpn/vpn-for-domain-computers-only/td-p/2730898

Craig_Tompkins
Here to help

Thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels