VPN with certificate

jp3y
New here

VPN with certificate

Hi, I'm new to the MX platform.

 

I'd like to have two VPN profiles:

 

1. For company managed (domain joined) laptops I'd like to use a certificate plus 2FA and allow full access to the internal network.

2. For BYOD (personal computers, etc.) I'd like to use 2FA and allow only HTTP and RDP access to the internal network.

 

Note - some users would want to connect using both methods.

 

Is this possible?

3 REPLIES 3
alemabrahao
Kind of a big deal
Kind of a big deal

Take a look on this:

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies 

 

But I don't think you will achieve all what you want.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

For all of these very special VPN requirements, I would always add an additional ASA or FTD to the network. Although AutoVPN is great, all the other VPN features are quite limited on the MX.

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

You will have to use Cisco AnyConnect for this.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

 

I think this can be achieved - but it is going to be expensive.  You want to perform authentication and authorisation based on both the user and device.

This screams Cisco ISE.  I think you would need to also use the AnyConnect Posture module.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/gui... 

You could configure two profiles in Cisco ISE to look up the user and analyse the device they are on, and return a Filter-Id attribute to the MX to say which group policy to apply (which specifies the access restricton).

 

I suspect it would almost be cheaper to buy two MXs - one for each VPN case.  Use AnyConnect with SAML.  Lets pretend you have Office 365 or Azure AD and a subscription that includes "Azure AD Premium P1".  You would have AnyConnect authenticate against Office 365.  You would configure Azure CBA (certificate based authentication):
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-au...

Then create a conditional acces spolicy requiring both CBA and MFA.

 

For the second case, on the second MX, you would also use AnyConnect SAML with Office 365 authentication (still requires "Azure AD Premium P1").  This time you could configure a conditional access policy to require MFA.  On the MX you would configure a default group policy for these users that only permitted HTTP and RDP access.

 

There is a feature in the works that would allow both of these on a single MX but that could easily be a year away from release.

 

 

Thinking sideways - another [simpler] way to do this would be using Cisco Duo on the Beyond plan.  You would connect the first case (using AnyConnect) to Cisco Duo using SAML.  You wouldn't need to use certificates.  With Duo you can simply test if a computer is a member of your Active Directory or joined to your Intune (*so* much simpler than using certificates).  You can also manually authorise computers and devices allowed to access.

 

For the second case, you would deply the "Duo Network Gateway".  This allows you to deploy a virtual appliance that provides HTTP and RDP (and some other things) access to internal resources via a web front end.  Of course it uses Duo MFA.  Much safer for the BYOD case.  BYOD machines would have zero IP access to internal servers.

https://duo.com/docs/dng

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels