Meraki

Community

Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

JordanCNolan
Here to help
‎Jun 4 2021 4:16 AM
‎Jun 4 2021 4:16 AM

Restrict MX VPN access to only Domain Computers using AnyConnect and Windows NPS Radius

I am looking for a way to ensure that only users with domain joined computers can access the VPN.  I am taking a look at the Event Viewer logs for NPS events and see the following are passed in for user and client machine

 

User:

 

  • Security ID: mydomain\myusername
    Account Name: myusername
    Account Domain: mydomain
    Fully Qualified Account Name: mydoamin.com/Active/Users/Last, First

Client Machine:

 

  • Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: m*************8
    Calling Station Identifier: 68.*.*.*

Is there a way to get the Cisco AnyConnect client to pass the Client Machine info into the NPS Radius when it connects to the MX?  

0 Kudos
4 Replies 4
JohnT
Getting noticed
‎Jun 4 2021 11:15 AM
‎Jun 4 2021 11:15 AM

This could be done with the Cisco ASA and AnyConnect, but I don't believe this feature exists on the Meraki implementation.  I would also be curious if someone has found a workaround for this.  It looks like certificate authentication may be the solution for this.  

0 Kudos
Craig_Tompkins
Here to help
‎Feb 10 2023 9:06 AM
‎Feb 10 2023 9:06 AM

I know this is really old, but this is the closest post I've been able to find in what I'm looking for.  @JohnT you mentioned that this was possible with Cisco ASA and Anyconnect.  Can you point me to some documentation?  I can't find any.  I too would like to pass the computer ID so in NPS I can require machine group to equal "Domain Computers".  I'll actually be using this via Firepower, but ASA to Firepower seems to have all the same features, maybe just in different menus.

0 Kudos
In response to Craig_Tompkins
JohnT
Getting noticed
‎Feb 10 2023 10:26 AM
‎Feb 10 2023 10:26 AM

@Craig_Tompkins It's been many years since I used an ASA, but I believe you had to use a dynamic access policy (DAP) that inspects the registry on the local host.  It won't pass the computer name via radius, but rather it communicates directly with the firewall to dynamically assign the policy based on the host posture.

 

This link may point you in the right direction.

https://community.cisco.com/t5/vpn/vpn-for-domain-computers-only/td-p/2730898

Craig_Tompkins
Here to help
‎Feb 10 2023 10:27 AM
‎Feb 10 2023 10:27 AM

Thank you.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.