VPN CLIENTS MX WITH ACTIVE DIRECTORY

Fernando_R
Comes here often

VPN CLIENTS MX WITH ACTIVE DIRECTORY

 

I would like to know if anyone is trying to validate VPN clients (SSL) in an MX with an AD, assigning permissions according to the profile configured in the AD? In the Meraki documentation, it is stated that this would not be possible, which suggests to me a very important security vulnerability, once a client is connected.
Is it possible to link the AD configuration carried out in the VPN clients section with the policy profiles in the AD section? 
Lic. Fernando Rossato
6 REPLIES 6
KarstenI
Kind of a big deal
Kind of a big deal

If you want to assign differentiated permissions to VPN clients, your AnyConnect-users have to be authenticated with RADIUS (which in turn can use AD). The RADIUS server can return the name of a group-policy that restricts the users access.

alemabrahao
Kind of a big deal
Kind of a big deal

I agree with @KarstenI, I think one good opition is the PacketFence, It's open source NAC.

 

https://www.packetfence.org/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Fernando_R
Comes here often

 

Thanks to both! The access will not be via anyconnect, but native VPN of the device that the user has. Would it still work with Radius? I cannot force a client to have Radius, but I can propose it, although I find the change difficult. It should be resolved by Meraki.
Lic. Fernando Rossato
KarstenI
Kind of a big deal
Kind of a big deal

No, this will not be possible with the native client (which uses IPsec btw and not SSL/TLS). And do yourself a favour and go for AnyConnect for a highly reduced amount of grey hair ...

It's an option, but it was mentioned a while ago that this could come at a cost.
Lic. Fernando Rossato
KarstenI
Kind of a big deal
Kind of a big deal

Yes, it is typically a subscription. But not that expensive and with highly reduces support effort it will save money in the end.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels