VPN with certificate

New here

VPN with certificate

Hi, I'm new to the MX platform.


I'd like to have two VPN profiles:


1. For company managed (domain joined) laptops I'd like to use a certificate plus 2FA and allow full access to the internal network.

2. For BYOD (personal computers, etc.) I'd like to use 2FA and allow only HTTP and RDP access to the internal network.


Note - some users would want to connect using both methods.


Is this possible?

Kind of a big deal
Kind of a big deal

Take a look on this:



But I don't think you will achieve all what you want.

Kind of a big deal
Kind of a big deal

For all of these very special VPN requirements, I would always add an additional ASA or FTD to the network. Although AutoVPN is great, all the other VPN features are quite limited on the MX.

Kind of a big deal
Kind of a big deal

I don't know the answer.


You will have to use Cisco AnyConnect for this.



I think this can be achieved - but it is going to be expensive.  You want to perform authentication and authorisation based on both the user and device.

This screams Cisco ISE.  I think you would need to also use the AnyConnect Posture module.


You could configure two profiles in Cisco ISE to look up the user and analyse the device they are on, and return a Filter-Id attribute to the MX to say which group policy to apply (which specifies the access restricton).


I suspect it would almost be cheaper to buy two MXs - one for each VPN case.  Use AnyConnect with SAML.  Lets pretend you have Office 365 or Azure AD and a subscription that includes "Azure AD Premium P1".  You would have AnyConnect authenticate against Office 365.  You would configure Azure CBA (certificate based authentication):

Then create a conditional acces spolicy requiring both CBA and MFA.


For the second case, on the second MX, you would also use AnyConnect SAML with Office 365 authentication (still requires "Azure AD Premium P1").  This time you could configure a conditional access policy to require MFA.  On the MX you would configure a default group policy for these users that only permitted HTTP and RDP access.


There is a feature in the works that would allow both of these on a single MX but that could easily be a year away from release.



Thinking sideways - another [simpler] way to do this would be using Cisco Duo on the Beyond plan.  You would connect the first case (using AnyConnect) to Cisco Duo using SAML.  You wouldn't need to use certificates.  With Duo you can simply test if a computer is a member of your Active Directory or joined to your Intune (*so* much simpler than using certificates).  You can also manually authorise computers and devices allowed to access.


For the second case, you would deply the "Duo Network Gateway".  This allows you to deploy a virtual appliance that provides HTTP and RDP (and some other things) access to internal resources via a web front end.  Of course it uses Duo MFA.  Much safer for the BYOD case.  BYOD machines would have zero IP access to internal servers.



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.