I'm using AD authentication for VPN so that users can enter their AD credential to connect to VPN. I also have 3 VLANs on my network, VLANs 2,3,4. VLAN 2 can access everything, VLAN 4 can access everything except VLAN 3. The problem is that when users connect to VPN, they can access all VLANs. I was wondering if I follow the steps below, if a member of VLAN 4 connects to VPN, they will only have access to VLAN 4 rules (access everything except for VLAN 3)?
I haven't tried this yet, but would this only work for WiFi, or would this also work for VPN? I have my RADIUS client on the NPS as VLAN 2 (172.16.0.1), if I add the VLAN 4 (172.16.128.1) as a RADIUS client, would it work also?
I have not tested this.
But I'd be surprised if it worked. The client VPN says "is this user authorized?" and then grants access to the VPN based off the response.
Once the user has access, I'm pretty sure it's L3 forever, so they have access to any subnet on that MX unless you firewall between the VPN subnet and the other local subnet.
If you firewall it, then you're going to have all client VPN users affected.
Meraki is not good in this area. Poor in fact.
Those closest you'll be able to manage is to manually apply a group policy to the VPN user after they have connected once.