Currently we use the built in Windows Client VPN and it works HOWEVER would love for Meraki to integrate Cisco Anyconnect into their MX (along with many customers I'm sure).
I we use VRRP so our VIP has a DNS name and I provided our users with directions.
We tied our AD to the VPN so all the users already know the login name and password.
Out of 50 users only 5 couldn't follow directions. You can also automate it via a GPO or Powershell.
Something like the below:
$ServerAddress = "vpn.domain.com" $ConnectionName = "Corp VPN" $PresharedKey = "MakeALongKey" Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -AllUserConnection -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force
The one thing to keep in mind about using AD for VPN Authentication is that there is no restriction or way to restrict who has a VPN account. So if you have a user called breakroom with password breakroompassword that is instantly a VPN account.
To avert this you might want to look into some Group Filters with AD. Like here. This is technically intended for Wifi but can be used to filter groups accordingly. You can also use the Meraki Cloud as the login method if you do not mind VPN users having a 2nd username/password just for VPN.
I personally hope that Meraki makes the VPN similar to the ASA as that is by far the best VPN I've used in 14 years. I know that Meraki is working on it. I ask all the time.
What OS are you using, just Windows 10?
We are still running Windows 7 so this powershell command unfortunately is available.
We use the native OS VPN clients on Windows & Mac. We will potentially deploy AnyConnect when support is added, but honestly we don't have any major problems on either platform.
We use a PowerShell script on Windows to create the connection for users who need it. We also use RADIUS for client VPN auth so the issues @NetworkingGuy mentioned aren't a problem for us. If you're not in a specific AD security group, you don't get VPN access.
Interesting. I think that the ASA does something similar and I ended up using an NPS server to get the ASA VPN going. Did you do something similar or are you talking about some FreeRADIUS?
I now feel like a fool for not thinking more about Radius as a method for authentication here. I'll be messing around with this more tomorrow for sure as I need a more streamlined way than what I'm doing now. =P And, NPS is much better.