cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict computers for VPN access.

Here to help

Restrict computers for VPN access.

Does anyone know if there is a way to restrict client VPN connectivity to allow only specific computers, when it comes to Meraki? Is it possible to do this with RADIUS perhaps?

 

I have a client that has a policy to only allow AD domain joined computers to connect to the VPN, and if Meraki/RADIUS/?, can do this I would like to sell them on Meraki. They are currently using a Sonicwall TZ400 for their firewall and an SRA1600 vpn appliance of which handles the required setup currently itself.

 

Thanks,

 

Ryan

5 REPLIES 5
Kind of a big deal

Re: Restrict computers for VPN access.

Yes, you can define which account database is to be used with Client VPN:

 

2019-02-12 19_00_48-Greenshot.png

 

Don't expect a fully featured client VPN though. The creation of the VPN profile on the clients is described here:

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

Rollout can also be scripted (credits to @PhilipDAth😞

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

The built-in clients are limited in features.

Kind of a big deal

Re: Restrict computers for VPN access.

>I have a client that has a policy to only allow AD domain joined computers to connect to the VPN

 

You wont be able to do this.  All you can do is checked that the user has entered an AD username/password - but not verify that it is being done from an AD joined computer.

Conversationalist

Re: Restrict computers for VPN access.

Hi @PhilipDAth,

 

Can you elaborate on why this isn't possible? We're looking to implement this (we already have RADIUS configured to authenticate based on a specific user group) but it sounds like it wouldn't work. NPS in Windows Server 2012 has the option to do both user and computer via Windows Group (which says it does both?), or, one or the other meaning you can select Machine Groups or User Groups.

 

Is this a limitation on the Meraki side?

Kind of a big deal

Re: Restrict computers for VPN access.

Because the only information the RADIUS server gets is the users name and password.  The RADIUS server is not told which machine the user is logging in from.

 

Consequently there is no way to restrict the machine being used.

 

 

This is a fundamental restriction of the Windows L2TP over IPSec client.  Microsoft did not create a way for the machine name to also be passed or authenticated.

Conversationalist

Re: Restrict computers for VPN access.

Thanks @PhilipDAth,
That answers my question. I appreciate you replying to this old thread! Hopefully this info is helpful to others looking for this info as well.

 

Quick edit: If RADIUS doesn't get computer information, what mechanism would make it possible to authenticate the computer/device the user is logging in from? Would we have to use something different altogether?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.