setup meraki and azure mfa

franco2018
Comes here often

setup meraki and azure mfa

how to setup a meraki vpn to azure MFA on-perm server

16 REPLIES 16
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to deploy Microsoft NPS on-premise, then install the Azure MFA plug into NPS.  The you can point the MX to the NPS radius server to do the client vpn authentication.

I trying setup MFA server with meraki

 

I setup it as radius server point to meraki then I point meraki to it  and it gives me the error a radius message was received from an invalid  radius client  ip which point to the meraki

 

The MFA server is very simple configure just need to enable radius and point to firewall what am I missing

 

I do not want to use the extension for nps since 1 it does not work and second it very limited

 

You don't point the MFA server at the firewall.

 

You add the MX as a client of the RADIUS server.  Also you will need the client configured to use push notifications.

Any steps on how to get this configure 

There not much online

The reason why there isn't much effort is Microsoft have only made a half-hearted effort at providing MFA outside of the core Office 365 family of products.

 

You might want to consider one of the more serious MFA providers like Duo.

I need to authicate against azure users  or Windows AD does duo do that and is it free( prefer Azure logins)

No it is not free - but it is a fully fledged MFA.

Great to hear. I will keep in mind

If anyine know steps nos and mra server configuration I will greatly appreciated it

I found out that Duo is cloud base solution therefore we can not use it in our environment.

 

I need an prem solution or steps for NPS?MFA server, please

 

>I found out that Duo is cloud base solution therefore we can not use it in our environment.

 

@franco2021 you realise Microsoft MFA is cloud based?  You have an on-premise NPS server - but it can't process MFA logins without using the Microsoft Cloud.  All MFA processing is done in the cloud.

@PhilipDAth 

I should clarify the difference between Azure and DUO

 

In our environment, we work closely with Microsoft and trust them with a cloud solution.

DUO we never heard of them I am sure they're a great company but they are not in our trusted vendor's list.

 

It too long of a story who gets in and who does not get in but they do not meet our requirement to be trusted.

 

That said I install MFA on windows 2016 point it to firewall it solves the issue.

It seems Windows 2016 does not install NPS when you install MFA server which the below OS version do and may be the issue

 

 

 

@PhilipDAth 

I should clarify the difference between Azure and DUO

 

In our environment, we work closely with Microsoft and trust them with a cloud solution.

DUO we never heard of them I am sure they're a great company but they are not in our trusted vendor's list.

 

It too long of a story who gets in and who does not get in but they do not meet our requirement to be trusted.

 

That said I install MFA on windows 2016 point it to firewall it solves the issue.

It seems Windows 2016 does not install NPS when you install MFA server which the below OS version does and maybe that was the issue

 

 

 

@franco2018the MFA on premise doesn't need the NPS Service, you only have to active RADUIS Authentication, in client add the public IP of your Service in cisco meraki (there is a big list but I you can capture the packets in your firewall your Will be notice that the request ever arrive from the same IP)

 

In the second tab of radius authentication select Windows domain (the first option) with that your RADIUS Will work without NPS.

Any steps on how get this configure There not much documentation online 

franco2021
Just browsing

Anyone have steps by step how n how get this configure there not munch online 

 

Thanks in advance

Hi,

 

Recently I did it with AZURE MFA on premise, it is very simple

 

At first you have to follow the steps here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

 

After that you enable Radius server with windows authentication you have to publish your server with a public ip (you can do it with a virtual IP redirect in your firewall)

 

in your meraki SSID in the splash page option configure Radius server with the public IP that you configure and the port.

 

After that you have to request to Cisco that the splash time out be 15 seconds, you can open a case because that is in the background.

 

For the login, almost in my case I have to use the complete user and domain for login: usuario@empresa.com, and in the MFA i'm using the app.

 

Hope it works for you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels