Meraki

Community

Setting up Cisco Meraki Client VPN with NPS & AzureMFA extension

thaack
Getting noticed
9 hours ago
9 hours ago

Setting up Cisco Meraki Client VPN with NPS & AzureMFA extension

I recently went through the process of setting up RADIUS auth for Meraki's IPsec Client VPN, so I could utilize the NPS AzureMFA extension for MFA as our users are already set up on Microsoft Authenticator for M365. I decided to go this route as opposed to AnyConnect as AnyConnect is still not supported on Network Templates and the security risks associated with SSL VPNs.

 

This turned out to be a huge headache as the Meraki Documentation on the RADIUS NPS setup is a bit outdated and the Microsoft documentation on the AzureMFA extension for NPS can be misleading when working with Meraki Client VPN and the Windows built in VPN client.

 

Hopefully my writeup below saves some people some time if they decide to go this route:

Setting Up Azure MFA with NPS for Meraki Client VPN (And Everything That Can Go Wrong) 

Labels:
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

Well done.  It is a big pain!!!

I won't do NPS with Azure MFA deployments anymore.  I keep having them break every year or two, and they are really hard to debug.

 

I think if I couldn't do AnyConnect because of the templates, I would use something like Cisco Secure Access or Cisco SecureConnect - where users VPN into a Cisco cloud head end, and then use AutoVPN to get back to what they need to connect to.

thaack
Getting noticed
5 hours ago
5 hours ago

Thanks for the heads up.

 

Assuming SecureConnect is still subscription per user based it would be a significant cost 😥

In response to thaack
PhilipDAth
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

It is per user.  Cisco Secure Access is quite a bit cheaper, but has a minimum order quantity of 100 users.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
an hour ago
an hour ago

Nice writeup!

I've never liked the NPS Azure MFA integration.

We tried getting it integrated with MS AOVPN and had all sorts of issues.
Looks like NPS + Azure MFA + Meraki native client is even more difficult.

One of the issues we hit was that the MFA prompt would appear behind all of the user's other applications on the client PC. Not super helpful for staff with limited computer literacy 😆

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.