I would like to know if anyone is trying to validate VPN clients (SSL) in an MX with an AD, assigning permissions according to the profile configured in the AD? In the Meraki documentation, it is stated that this would not be possible, which suggests to me a very important security vulnerability, once a client is connected.
Is it possible to link the AD configuration carried out in the VPN clients section with the policy profiles in the AD section?
If you want to assign differentiated permissions to VPN clients, your AnyConnect-users have to be authenticated with RADIUS (which in turn can use AD). The RADIUS server can return the name of a group-policy that restricts the users access.
I agree with @KarstenI, I think one good opition is the PacketFence, It's open source NAC.
Thanks to both! The access will not be via anyconnect, but native VPN of the device that the user has. Would it still work with Radius? I cannot force a client to have Radius, but I can propose it, although I find the change difficult. It should be resolved by Meraki.
No, this will not be possible with the native client (which uses IPsec btw and not SSL/TLS). And do yourself a favour and go for AnyConnect for a highly reduced amount of grey hair ...
It's an option, but it was mentioned a while ago that this could come at a cost.
Yes, it is typically a subscription. But not that expensive and with highly reduces support effort it will save money in the end.