Restrict computers for VPN access.

RYN0
Here to help

Restrict computers for VPN access.

Does anyone know if there is a way to restrict client VPN connectivity to allow only specific computers, when it comes to Meraki? Is it possible to do this with RADIUS perhaps?

 

I have a client that has a policy to only allow AD domain joined computers to connect to the VPN, and if Meraki/RADIUS/?, can do this I would like to sell them on Meraki. They are currently using a Sonicwall TZ400 for their firewall and an SRA1600 vpn appliance of which handles the required setup currently itself.

 

Thanks,

 

Ryan

9 Replies 9
BrechtSchamp
Kind of a big deal

Yes, you can define which account database is to be used with Client VPN:

 

2019-02-12 19_00_48-Greenshot.png

 

Don't expect a fully featured client VPN though. The creation of the VPN profile on the clients is described here:

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

Rollout can also be scripted (credits to @PhilipDAth) :

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

The built-in clients are limited in features.

PhilipDAth
Kind of a big deal
Kind of a big deal

>I have a client that has a policy to only allow AD domain joined computers to connect to the VPN

 

You wont be able to do this.  All you can do is checked that the user has entered an AD username/password - but not verify that it is being done from an AD joined computer.

e39_540i
Getting noticed

Hi @PhilipDAth,

 

Can you elaborate on why this isn't possible? We're looking to implement this (we already have RADIUS configured to authenticate based on a specific user group) but it sounds like it wouldn't work. NPS in Windows Server 2012 has the option to do both user and computer via Windows Group (which says it does both?), or, one or the other meaning you can select Machine Groups or User Groups.

 

Is this a limitation on the Meraki side?

PhilipDAth
Kind of a big deal
Kind of a big deal

Because the only information the RADIUS server gets is the users name and password.  The RADIUS server is not told which machine the user is logging in from.

 

Consequently there is no way to restrict the machine being used.

 

 

This is a fundamental restriction of the Windows L2TP over IPSec client.  Microsoft did not create a way for the machine name to also be passed or authenticated.

e39_540i
Getting noticed

Thanks @PhilipDAth,
That answers my question. I appreciate you replying to this old thread! Hopefully this info is helpful to others looking for this info as well.

 

Quick edit: If RADIUS doesn't get computer information, what mechanism would make it possible to authenticate the computer/device the user is logging in from? Would we have to use something different altogether?

Nemo
Here to help

I'm also seeking a way to do this.  I had hoped that I could use DHCP reservations for the Client VPN subnet and create reservations for known MAC addresses.  This isn't perfect but it is a lot better than nothing.  

 

Unfortunately I am not seeing any way to specify DHCP reservations for a client VPN subnet.  

 

Has anyone else figured out a way to either restrict or somehow validate the computers that are connecting to VPN in addition to validating the user?

DHAnderson
Head in the Cloud

There might be another way to accomplish this using a different paradigm.

 

Google BeyondCorp or Perimeter 81 are both Zero Trust products that can link local applications, sites and services with cloud based services.  Basically you create a site to site VPN to Google BeyondCorp or Perimeter 81 and then manage everything through those services. For instance, you want to provide Remote Desktop in a secure manor to a RDS server. You would configure the either vendor site with a Remote Desktop link, and grant access to the users who need that service.

 

Users are authenticated into Perimeter 81 or Google BeyondCorp and see a screen with the services and application that they access to.  Google BeyondCorp can use user and machine certificates as part of the authentication process.  Perimeter might be able to do that as well.

 

One benefit that is made clear during this Covid19 lock down, is that instead of all employees coming in through a VPN and overwhelming the firewall, there is only one VPN connection that the firewall needs.  The employees sign into the BeyondCorp or Perimeter 81 site instead.  This is more scalable and secure that a traditional VPN solution.

 

I apologize that this is a short and incomplete summary of these products.  My intent was only to make you aware of different options for your VPN solution.

Dave Anderson
BrechtSchamp
Kind of a big deal

Interesting concepts @DHAnderson . Thanks for sharing.

PhilipDAth
Kind of a big deal
Kind of a big deal

I see we have a number of people looking at this old thread.

 

Since this was originally posted a new method is now available.  You can now configure certificate with username+password authentication with RADIUS.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#Certifi...

 

You setup an Enterprise CA, and issue every machine with a certificate.  Meraki+AnyConnect will first check that the machine has been issued a certificate, and then check the users username and password.

 

You can also use AnyConnect+SAML+Duo, and use Duo device trust to verifify the computer is a member of AD or manually trusted.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#SAML_Au... 

 

https://duo.com/docs/trusted-endpoints

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels