Does anyone know if there is a way to restrict client VPN connectivity to allow only specific computers, when it comes to Meraki? Is it possible to do this with RADIUS perhaps?
I have a client that has a policy to only allow AD domain joined computers to connect to the VPN, and if Meraki/RADIUS/?, can do this I would like to sell them on Meraki. They are currently using a Sonicwall TZ400 for their firewall and an SRA1600 vpn appliance of which handles the required setup currently itself.
Yes, you can define which account database is to be used with Client VPN:
Don't expect a fully featured client VPN though. The creation of the VPN profile on the clients is described here:
Rollout can also be scripted (credits to @PhilipDAth😞
The built-in clients are limited in features.
>I have a client that has a policy to only allow AD domain joined computers to connect to the VPN
You wont be able to do this. All you can do is checked that the user has entered an AD username/password - but not verify that it is being done from an AD joined computer.
Can you elaborate on why this isn't possible? We're looking to implement this (we already have RADIUS configured to authenticate based on a specific user group) but it sounds like it wouldn't work. NPS in Windows Server 2012 has the option to do both user and computer via Windows Group (which says it does both?), or, one or the other meaning you can select Machine Groups or User Groups.
Is this a limitation on the Meraki side?
Because the only information the RADIUS server gets is the users name and password. The RADIUS server is not told which machine the user is logging in from.
Consequently there is no way to restrict the machine being used.
This is a fundamental restriction of the Windows L2TP over IPSec client. Microsoft did not create a way for the machine name to also be passed or authenticated.
That answers my question. I appreciate you replying to this old thread! Hopefully this info is helpful to others looking for this info as well.
Quick edit: If RADIUS doesn't get computer information, what mechanism would make it possible to authenticate the computer/device the user is logging in from? Would we have to use something different altogether?