Windows RADIUS VPN

tantony
Head in the Cloud

Windows RADIUS VPN

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

I'm using AD authentication for VPN so that users can enter their AD credential to connect to VPN.  I also have 3 VLANs on my network, VLANs 2,3,4.  VLAN 2 can access everything, VLAN 4 can access everything except VLAN 3.  The problem is that when users connect to VPN, they can access all VLANs.  I was wondering if I follow the steps below, if a member of VLAN 4 connects to VPN, they will only have access to VLAN 4 rules (access everything except for VLAN 3)?

 

I haven't tried this yet, but would this only work for WiFi, or would this also work for VPN?  I have my RADIUS client on the NPS as VLAN 2 (172.16.0.1), if I add the VLAN 4 (172.16.128.1) as a RADIUS client, would it work also?

 

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html

 

6 REPLIES 6
Nash
Kind of a big deal

I have not tested this.

 

But I'd be surprised if it worked. The client VPN says "is this user authorized?" and then grants access to the VPN based off the response.

 

Once the user has access, I'm pretty sure it's L3 forever, so they have access to any subnet on that MX unless you firewall between the VPN subnet and the other local subnet.

 

If you firewall it, then you're going to have all client VPN users affected.

tantony
Head in the Cloud

I'm going to try this later, and update.

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki is not good in this area.  Poor in fact.

 

Those closest you'll be able to manage is to manually apply a group policy to the VPN user after they have connected once.

So there’s no way to apply VLAN after user connect to VPN?  Any third party software or add on or scripts?

PhilipDAth
Kind of a big deal
Kind of a big deal

Nothing.

Ok thanks. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels