cancel
Showing results for 
Search instead for 
Did you mean: 

Assign different Vpn group policies (without radius or AD)

Conversationalist

Assign different Vpn group policies (without radius or AD)

I was working on a project for a customer. We used a Meraki Mx for multiple companies in this project. The big problem was that all vpn clients came in the same subnet. And if all the vpn clients (from different companies) wanted to get to their recourses I needed to open all subnets. Of course this is a very big security problem.

 

I have solved this with the Meraki api's. I look to the domain name of the email address and assign the right Group policy with only rights to the subnet of his company. Maybe this is helpful for other companies.

 

 

If you want more details you can contact me on jonas@complit.be

3 REPLIES
Kind of a big deal

Re: Assign different Vpn group policies (without radius or AD)

Thanks, sounds like a unique approach.  I don't currently have a need for this but I'll keep this in mind for sure. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Kind of a big deal

Re: Assign different Vpn group policies (without radius or AD)

That is a good solution for the moment.

 

One of the issues is you have to wait for them to login once via VPN before you can assign that group policy.

Conversationalist

Re: Assign different Vpn group policies (without radius or AD)

That's correct, but it's the best solution you can do for the moment I think. You can restrict the default vpn profile and run the script every minute.

 

It would be better that Meraki let to define a group policy when you create the vpn user. I'm pretty new to Meraki and I love it. But I was really disappointed when I found out this wasn't an option.

Here are the steps of my api script:

  1. Get all clients that connected last hour (api/v0/devices/)
  2. If client has an ip-address in the vpn subnet, I ask more information (for example emailaddress) with the api api/v0/networks/$network_id/clients/$mac
  3. Check if the vpn has the default group policy (normal), if so I want to change this. (api/v0/networks/$network_id/clients/$mac/policy)
  4. Then I assign an other group policy based on the domain name of their emailadress.(api/v0/networks/$network_id/clients/$mac/policy)
  5. In the dashboard you can assign new firewall rules to the vpn group policy you assigned. You can allow traffic from the vpn subnet to the subnet of the company