Meraki

Community

Told by Meraki Support that MFA is No Longer Available for Client VPN

Solved
dromios
Getting noticed
‎Mar 2 2020 9:03 AM
‎Mar 2 2020 9:03 AM

Told by Meraki Support that MFA is No Longer Available for Client VPN

Hello,

 

We are looking to implement MFA for client VPN, and after some research, it seems like there are three options:

  • RSA
  • DUO
  • MFA Server

Since the MFA server isn't an option for new rollouts, I read that an Azure MFA NPS Policy extension can be used in conjunction with a Radius server to achieve the same result; this is what I was aiming to ultimately do.

Here is where the confusion comes in.  When I reached out to Meraki support, I had multiple technicians tell me that MFA for client VPN used to be a feature but it no longer is.

 

Am I missing something, or did I get a few technicians who are misinformed?  I was thinking it could've been that there were built-in (non-3rd party) solutions in the past, that has since been deprecated.  I rephrased my question and both agents said that MFA and client-side VPN isn't an option anymore, even with the aforementioned technologies.

 

Would someone be able to clarify the current situation, and if these technicians were misinformed, is the Azure MFA NPS Policy Extension a viable option?

 

Thank you in advance.

 

Doug

1 Accepted Solution
In response to dromios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 3:17 PM
‎Mar 2 2020 3:17 PM

If you want to use the Microsoft Authenticator with VPN you must use the NPS extension.

View solution in original post

14 Replies 14
aantunes
Conversationalist
‎Mar 2 2020 9:07 AM
‎Mar 2 2020 9:07 AM

This is an important topic, as MFA is a must nowadays, I am commenting to keep track if u get a response! 😊

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 11:19 AM
‎Mar 2 2020 11:19 AM

Support are wrong.

 

You can use any MFA product that works via a RADIUS server and provides the second factor out of band (the most typical example is an app that goes onto the users phone and they get a popup asking them to approve or deny the request).  Solutions that rely on in-band support such as TXTing a code wont work.

 

The Azure solution is horrible.  I would avoid it if you can.

 

Never used RSA.

 

The DUO solution works great.

https://duo.com/docs/authproxy-reference 

In response to PhilipDAth
dromios
Getting noticed
‎Mar 2 2020 12:35 PM
‎Mar 2 2020 12:35 PM

I appreciate the response.  I work with RSA in a VDI environment and I know it's a pain.  DUO would be my option but we were trying to leverage existing products and I thought Azure would be my best bet.  They use Microsoft Authenticator already for MFA for Office 365, are you saying that there's a way to utilize radius and hook them up with a code?  If so, I haven't been able to find it.  Is it an NPS extension?

0 Kudos
In response to dromios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 12:41 PM
‎Mar 2 2020 12:41 PM

You can't use a code.  If you use Microsoft Authenticator you have to use the push notification method.  You have to use the NPS extension.

 

Common problems with using the NPS extension:

  • Zero debugging.  If it doesn't work there are no logs to look at.
  • One day in a year if you have a certificate expire it will simply stop working.  Nothing will get logged.  You'll spend ages on it trying one thing and then another.
  • It can be slow to send through the push notification.  Sometimes the client VPN will timeout if the user can not respond to the prompt fast enough.

 

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 12:54 PM
‎Mar 2 2020 12:54 PM

We use RSA but not with Meraki, it works very well for us with only one or two issues in over six years. 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
dromios
Getting noticed
‎Mar 2 2020 12:58 PM
‎Mar 2 2020 12:58 PM

It seems to work great when it's set up and working, I was using something called a VMware Universal Access Gateway to tie into RSA.  I don't have much experience with it outside of that.  The appliance won't key with the endpoint.  A different headache for a different day.

0 Kudos
In response to PhilipDAth
dromios
Getting noticed
‎Mar 2 2020 12:59 PM
‎Mar 2 2020 12:59 PM

Would you happen to know where I would get that extension to push notifications to Microsoft Authenticator?  I've been googling around and can't find any documentation on it.

0 Kudos
In response to dromios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 1:09 PM
‎Mar 2 2020 1:09 PM

It's just the standard NPS extension.

 

Perhaps I'm wrong - maybe it does use the code and you enter that instead of the password.  I'm reasonably confident you need to use push notifications though and that is configured between the NPS extension and Azure.  I think you just make the "push" notification the default for the user.

In response to PhilipDAth
dromios
Getting noticed
‎Mar 2 2020 3:09 PM
‎Mar 2 2020 3:09 PM

I apologize for my ignorance, you mean the ability is just built into NPS.  It's not the Azure extension or another extension?

0 Kudos
In response to dromios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 2 2020 3:17 PM
‎Mar 2 2020 3:17 PM

If you want to use the Microsoft Authenticator with VPN you must use the NPS extension.

In response to PhilipDAth
dromios
Getting noticed
‎Mar 4 2020 6:36 AM
‎Mar 4 2020 6:36 AM

@PhilipDAthto verify you are speaking specifically about the Azure extension.  I was just confused because you said it was horrible.  I thought you were implying that was an alternate way to do MFA using the authenticator without that extension.

0 Kudos
In response to dromios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 4 2020 10:34 AM
‎Mar 4 2020 10:34 AM

> verify you are speaking specifically about the Azure extension.  I was just confused because you said it was horrible.  I thought you were implying that was an alternate way to do MFA using the authenticator without that extension.

 

I was talking about the NPS extension.  It is horrible.  And it is the only way if you want to use the Microsoft Authenticator method.

In response to PhilipDAth
dromios
Getting noticed
‎Mar 4 2020 10:55 AM
‎Mar 4 2020 10:55 AM

Okay, thank you for the clarifcation and your patience while I stumble through this ugly process 😛 You've been a real help.
0 Kudos
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 2 2020 6:41 PM
‎Mar 2 2020 6:41 PM

@dromios 

 

It's really up the radius server to allow the device to connect to the client vpn or not. As long as the radius server sends the MX an access-accept is what the MX is looking for. The radius session will expire after three retries of five seconds each or 15 total seconds of inactivity. So if your radius server can't process the multi-factor authentication fast enough then it will time out on the MX. 

 

Support can change both the timeout (5 seconds) and retry (3 attempts) on the MX. If you reference this kb to Support, they'll be able to make the changes to the timeout and retries. 

 

Edit: typos

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.