Meraki

Community

Restrict Meraki VPN access Based on Device

Solved
mrozsypal
Here to help
‎Aug 4 2023 9:40 AM
‎Aug 4 2023 9:40 AM

Restrict Meraki VPN access Based on Device

I am looking for info on how to restrict Meraki VPN connection based on a users device. If possible only allowing domain joined devices to connect to the VPN. 

 

A method may be by using certificate authentication but I am not sure if a user could export the certificate and just go around this method.

 

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2023 2:00 PM
‎Aug 6 2023 2:00 PM

My first choice is to use Cisco AnyConnect and SAML.  Authenticate against Azure AD, and use conditional access to restrict logins to Azure AD joined machines.  Or you could authenticate against Cisco Duo, and restrict access to trusted devices.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

https://duo.com/docs/trusted-endpoints 

 

If you have Active Directory then you could use certificates.  Deploy a CA server.  Create a certificate template to deploy machine certificates, and untick "Allow private key to be exported".

https://learn.microsoft.com/en-us/answers/questions/57551/export-certificate-with-private-key 

 

You'll need to create an AnyConnect connection profile, and specify that certificates should come from the machine certificate store (and not the user certificate store).

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 5 2023 1:02 PM
‎Aug 5 2023 1:02 PM

Theoretically, a device certificate is valid only for the machine added to the domain.

 

Certificate authentication: This is used to configure the trusted CA file that is used to authenticate client devices. This configuration is only required if you need to authenticate client devices with a certificate. Only certificates PEM format are supported at this time.

 

I'm not sure if this would work as the options you have with Meraki VPN are limited.

Perhaps you would have more options if you were using Cisco ISE as a Radius server.

I suggest you to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2023 2:00 PM
‎Aug 6 2023 2:00 PM

My first choice is to use Cisco AnyConnect and SAML.  Authenticate against Azure AD, and use conditional access to restrict logins to Azure AD joined machines.  Or you could authenticate against Cisco Duo, and restrict access to trusted devices.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

https://duo.com/docs/trusted-endpoints 

 

If you have Active Directory then you could use certificates.  Deploy a CA server.  Create a certificate template to deploy machine certificates, and untick "Allow private key to be exported".

https://learn.microsoft.com/en-us/answers/questions/57551/export-certificate-with-private-key 

 

You'll need to create an AnyConnect connection profile, and specify that certificates should come from the machine certificate store (and not the user certificate store).

In response to PhilipDAth
mrozsypal
Here to help
‎Aug 7 2023 10:27 AM
‎Aug 7 2023 10:27 AM

I will try the SAML method and see if it works.

 

Thank you

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.