VPN - User restrictions

HarryCarter
Conversationalist

VPN - User restrictions

Dear Community,

 

We have Active Directory enabled on our Meraki environment. 

 

Before this, we gave VPN access via creating accounts for who needed it. 

 

Now everyone with an AD account seems to have access to authenticate. 

 

I have 2 questions - 

 

How do we restrict which users can authenticate with this?

 

Can we use group policy to apply layer 3 firewall rules per "user"? (I can only see a way to do this per "client")

 

Thanks for your help in advance.

2 Replies 2
Nash
Kind of a big deal

I strongly recommend using NPS or another RADIUS server instead of using the Active Directory sync for client VPN. NPS is especially easy if you've already got an AD environment. 

 

You tell RADIUS which group gets access to the VPN, then you're off to the races.

 

If your users already belong to groups (such as IT, Accounting, HR...), then add those groups to your VPN users group. It's easier to maintain in the long run versus adding individual users.

 

If you don't use RADIUS, you have to modify your AD groups so your ldap admin only has read permissions on groups containing your authorized users. This is annoying and I do not recommend it.

Roger_Beurskens
Building a reputation

If possible you really want to go the Radius way.

 

When using NPS, you can pretty easy use MFA through Microsoft 365 with AD sync.

I also see this is as a big plus.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels