Meraki

Community

VPN CLIENTS MX WITH ACTIVE DIRECTORY

Fernando_R
Comes here often
‎Jan 25 2023 6:58 AM
‎Jan 25 2023 6:58 AM

VPN CLIENTS MX WITH ACTIVE DIRECTORY

 

I would like to know if anyone is trying to validate VPN clients (SSL) in an MX with an AD, assigning permissions according to the profile configured in the AD? In the Meraki documentation, it is stated that this would not be possible, which suggests to me a very important security vulnerability, once a client is connected.
Is it possible to link the AD configuration carried out in the VPN clients section with the policy profiles in the AD section?
Lic. Fernando Rossato
Labels:
0 Kudos
6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 7:30 AM
‎Jan 25 2023 7:30 AM

If you want to assign differentiated permissions to VPN clients, your AnyConnect-users have to be authenticated with RADIUS (which in turn can use AD). The RADIUS server can return the name of a group-policy that restricts the users access.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 8:10 AM
‎Jan 25 2023 8:10 AM

I agree with @KarstenI, I think one good opition is the PacketFence, It's open source NAC.

 

https://www.packetfence.org/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Fernando_R
Comes here often
‎Jan 25 2023 8:16 AM
‎Jan 25 2023 8:16 AM

 

Thanks to both! The access will not be via anyconnect, but native VPN of the device that the user has. Would it still work with Radius? I cannot force a client to have Radius, but I can propose it, although I find the change difficult. It should be resolved by Meraki.
Lic. Fernando Rossato
0 Kudos
In response to Fernando_R
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 8:19 AM
‎Jan 25 2023 8:19 AM

No, this will not be possible with the native client (which uses IPsec btw and not SSL/TLS). And do yourself a favour and go for AnyConnect for a highly reduced amount of grey hair ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
Fernando_R
Comes here often
‎Jan 25 2023 8:23 AM
‎Jan 25 2023 8:23 AM 

It's an option, but it was mentioned a while ago that this could come at a cost.
Lic. Fernando Rossato
0 Kudos
In response to Fernando_R
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 8:24 AM
‎Jan 25 2023 8:24 AM

Yes, it is typically a subscription. But not that expensive and with highly reduces support effort it will save money in the end.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.