cancel
Showing results for 
Search instead for 
Did you mean: 

Windows RADIUS VPN

A model citizen

Windows RADIUS VPN

https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

 

I'm using AD authentication for VPN so that users can enter their AD credential to connect to VPN.  I also have 3 VLANs on my network, VLANs 2,3,4.  VLAN 2 can access everything, VLAN 4 can access everything except VLAN 3.  The problem is that when users connect to VPN, they can access all VLANs.  I was wondering if I follow the steps below, if a member of VLAN 4 connects to VPN, they will only have access to VLAN 4 rules (access everything except for VLAN 3)?

 

I haven't tried this yet, but would this only work for WiFi, or would this also work for VPN?  I have my RADIUS client on the NPS as VLAN 2 (172.16.0.1), if I add the VLAN 4 (172.16.128.1) as a RADIUS client, would it work also?

 

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html

 

6 REPLIES 6
Head in the Cloud

Re: Windows RADIUS VPN

I have not tested this.

 

But I'd be surprised if it worked. The client VPN says "is this user authorized?" and then grants access to the VPN based off the response.

 

Once the user has access, I'm pretty sure it's L3 forever, so they have access to any subnet on that MX unless you firewall between the VPN subnet and the other local subnet.

 

If you firewall it, then you're going to have all client VPN users affected.

A model citizen

Re: Windows RADIUS VPN

I'm going to try this later, and update.

Kind of a big deal

Re: Windows RADIUS VPN

Meraki is not good in this area.  Poor in fact.

 

Those closest you'll be able to manage is to manually apply a group policy to the VPN user after they have connected once.

A model citizen

Re: Windows RADIUS VPN

So there’s no way to apply VLAN after user connect to VPN?  Any third party software or add on or scripts?

Kind of a big deal

Re: Windows RADIUS VPN

Nothing.

A model citizen

Re: Windows RADIUS VPN

Ok thanks. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.