Assign different Vpn group policies (without radius or AD)

Complit
Getting noticed

Assign different Vpn group policies (without radius or AD)

I was working on a project for a customer. We used a Meraki Mx for multiple companies in this project. The big problem was that all vpn clients came in the same subnet. And if all the vpn clients (from different companies) wanted to get to their recourses I needed to open all subnets. Of course this is a very big security problem.

 

I have solved this with the Meraki api's. I look to the domain name of the email address and assign the right Group policy with only rights to the subnet of his company. Maybe this is helpful for other companies.

 

 

If you want more details you can contact me on jonas@complit.be

3 REPLIES 3
Adam
Kind of a big deal

Thanks, sounds like a unique approach.  I don't currently have a need for this but I'll keep this in mind for sure. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

That is a good solution for the moment.

 

One of the issues is you have to wait for them to login once via VPN before you can assign that group policy.

That's correct, but it's the best solution you can do for the moment I think. You can restrict the default vpn profile and run the script every minute.

 

It would be better that Meraki let to define a group policy when you create the vpn user. I'm pretty new to Meraki and I love it. But I was really disappointed when I found out this wasn't an option.

Here are the steps of my api script:

  1. Get all clients that connected last hour (api/v0/devices/)
  2. If client has an ip-address in the vpn subnet, I ask more information (for example emailaddress) with the api api/v0/networks/$network_id/clients/$mac
  3. Check if the vpn has the default group policy (normal), if so I want to change this. (api/v0/networks/$network_id/clients/$mac/policy)
  4. Then I assign an other group policy based on the domain name of their emailadress.(api/v0/networks/$network_id/clients/$mac/policy)
  5. In the dashboard you can assign new firewall rules to the vpn group policy you assigned. You can allow traffic from the vpn subnet to the subnet of the company
Get notified when there are additional replies to this discussion.