Using different authentication for different device; Active directory vs Meraki User Authentication

Solved
from_afar
Building a reputation

Using different authentication for different device; Active directory vs Meraki User Authentication

We have a small setup with one hub and one spoke SD-Wan location. We tunnel all and people also use AnyConnect to VPN into the hub when working from home. We use the inbuilt Meraki Cloud authentication for users for VPN auth. We also have Umbrella up and running. I wanted to do some experimenting with Active Directory integration. I have set up client VPN on both devices (MX98 LAN, MX68 SD-Wan location) as I have to remote in to the SD-Wan location sometimes to help debug stuff. I'm the only one who uses that connection; everyone else is either on the LAN, SD-Wan or AnyConnect -> LAN when working from home.

 

I noticed that when I set things up, when I added a user, it automatically was also created at the SD-Wan location. i.e. when I added a user in the MX98 > Security & SD-Wan > Client VPN > AnyConnect Settings > User Management, it would automatically appear in the User management on the MX68. 

 

My question is: would it be possible to test Active Directory settings just on the MX68? Or if I turn on/configure AD on the MX68, will those settings automatically propagate to the MX98 like the users do?

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

Each MX network can have it's own VPN authentication method.
The only thing that gets replicated are Meraki cloud users.  So if you would use two MX'es with Meraki cloud auth then those users would show up on both networks but you would have to authorize them for both networks separately.

However if you use AD auth on one network, radius on another network and SAML on yet another that is all possible.

View solution in original post

4 Replies 4
GIdenJoe
Kind of a big deal
Kind of a big deal

Each MX network can have it's own VPN authentication method.
The only thing that gets replicated are Meraki cloud users.  So if you would use two MX'es with Meraki cloud auth then those users would show up on both networks but you would have to authorize them for both networks separately.

However if you use AD auth on one network, radius on another network and SAML on yet another that is all possible.

from_afar
Building a reputation

Thanks very much for the reply. So this is a bit confusing to me (sorry) since the SD-Wan location is *supposed* to be part of the LAN. We are using "single LAN setting" as well, but I think as you said they are still technically separate networks? It looks like it because I see what you mean about needing to authorize the cloud users separately. 

GIdenJoe
Kind of a big deal
Kind of a big deal

Each Meraki network is a logical container.  Inside one network you can only have a single MX or two MX'es acting as an active/passive HA-pair.

Each logical container has it's own client VPN configuration.  That does mean that each separate client VPN config on an MX has it's own IP subnet you need to enable on the SD-WAN fabric to be able to communicate with shared resources.  And indeed each of these configs has their own authentication method and in case of Meraki authentication it's own set of users that are authorized for VPN.

from_afar
Building a reputation

Got it, thanks, that is super helpful. 

 

Seems to be working too, so I appreciate the help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels