Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

JordanCNolan
Here to help

Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

I am looking for a way to ensure that only users with domain joined computers can access the VPN.  I am taking a look at the Event Viewer logs for NPS events and see the following are passed in for user and client machine

 

User:

 

  • Security ID: mydomain\myusername
    Account Name: myusername
    Account Domain: mydomain
    Fully Qualified Account Name: mydoamin.com/Active/Users/Last, First

Client Machine:

 

  • Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: m*************8
    Calling Station Identifier: 68.*.*.*

Is there a way to get the Cisco AnyConnect client to pass the Client Machine info into the NPS Radius when it connects to the MX?  

1 REPLY 1
JohnT
Getting noticed

Re: Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

This could be done with the Cisco ASA and AnyConnect, but I don't believe this feature exists on the Meraki implementation.  I would also be curious if someone has found a workaround for this.  It looks like certificate authentication may be the solution for this.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.