Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout mmzzaq
mmzzaq
Here to help
Member since Aug 26, 2018
2 weeks ago
Community Record
16
Posts
4
Kudos
0
Solutions
Badges
2 weeks ago
Oh that doesn't sound assuring. When troubleshooting my issue, obviously I Googled a bit and I did find a post from a Meraki employee stating that an EICAR download should trigger AMP so I feel like something is not right but not 100% sure.
... View more
2 weeks ago
Hi, We recently decommissioned our MX64 and upgraded to a MX75, running firmware 19.1.11. The new MX75 runs the Advanced Security license, i have verified this through Organization > License info. I have enabled AMP in Security & SD-WAN > Threat Protection and also enabled Intrusion detection and prevention > Mode: detection, Ruleset: Balanced. Further more I made sure that Network-wide > Configure > General > Traffic analysis > is set to Detailed: collect destination hostnames. Whenever I download the malware testfile at https://www.eicar.org/download-anti-malware-testfile/ AMP doesn't block it and nothing is logged in Security & SD-WAN > Security center. Doesn't matter if I download the .txt, .com or .zip file. Note that the download is successful (i actually have the file on disk) and local AV is temporarily disabled. Also, whenever I perform a successful Nmap portscan to a working IP address in another VLAN, nothing is logged in Security & SD-WAN > Security center. Last, we don't have any other gateway or WAN link, so everything is running through MX75. Anyone any idea why AMP doesn't block EICAR, why the portscans don't get logged in Security & SD-WAN > Security center and why nothing in general is logged in Security & SD-WAN > Security center? Security center screenshot: https://imgur.com/01lWCN1
... View more
Apr 30 2024
3:30 PM
It looks you are not reading half of what I wrote. Check the top of my first post and the bottom of my first post. That's something I already added before your first reply.
... View more
Apr 30 2024
1:22 AM
Works perfectly fine for me and the Microsoft documentation also seems to indicate that this shouldn't be an issue. Like I said in my startpost, Anyconnect is unfortunately not an option for us (https://community.meraki.com/t5/Security-SD-WAN/MX64-AnyConnect-VPN-Split-tunnel-profile/m-p/233704#M52376)
... View more
Apr 29 2024
9:31 AM
1 Kudo
(fixed, see edit) We currently use Meraki MX64 client VPN in combination with a local Windows NPS server (radius) so that users can authenticate with their Windows credentials. This works fine but I want to protect the connections with MFA, so I installed the 'NPS Extension for Azure MFA' on the NPS server. Unfortunately I cannot get that to work in combination with our client-VPN. When having it enabled, users cannot establish a VPN connection anymore. They are able to enter their user/pass when the Windows VPN client asks for it but after that it just times out without the user being prompted for MFA: The NPS server logs the following on these connection attempts: "NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User testuser1@exampledomain.com with response state Discard, ignoring request." "NPS Extension for Azure MFA: NPS AuthN extension bypassed for User testuser1@exampledomain.com with response state Discard" I have ran the Azure MFA NPS health check script and that shows no issues. The testuser also has a valid Entra ID P1 subscription. Further more, the users are able to use MFA on Microsoft services. The settings I'm using on the NPS server are the working settings that were already in place for the non-MFA client-VPN as described in this article: https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN_IPsec I also have set the radius timeout in the Meraki dashboard to 180 but that doesn't make a difference. I'm having the feeling that it might just be a simple setting in my NPS server that can fix the problems. Can anyone that also uses that NPS Extension for Azure MFA on their NPS server share their settings? Or does anyone have any advice on how I could possibly fix my issues? note: I know Anyconnect can do MFA flawlessly with SAML but Anyconnect is not an option for us. Thanks in advance EDIT: Nvm, i fixed it. Turns out I erroneously swapped around two registry key values earlier when I was troubleshooting the early stages 😑 Hitting myself with a hammer in the head. Btw, now that it's working, I can confirm that using the starter radius settings from the Meraki article from above, are enough to get it working in combination with the extra NPS extension (this is something I was wondering about a lot during my earlier troubleshooting).
... View more
Labels:
- Labels:
-
Client VPN
Apr 29 2024
7:58 AM
Same issue here. Did you ever figure this out? The other option (Anyconnect) works fine but that is not option for us.
... View more
Apr 26 2024
8:44 AM
Hi, Our users use the default Windows VPN client to establish a VPN connection to our Meraki MX64 in combination with a radius server so that they are able to use their Windows identity to login. This works fairly well but I saw Anyconnect being available so I tested it out a bit and it works pretty good too, even with SAML as authentication method so that the users could MFA the connection with their Microsoft Authenticator. But here comes the issue for me: with our previous Windows VPN client solution, we were able to create two VPN connections on the user's computer: 1 profile with split tunnel VPN 1 profile without split tunnel VPN This seems not to be possible with Anyconnect VPN as split tunnel or non-split tunnel is defined on the server (the MX device) instead of the client and also because the Anyconnect client doesn't seem to support configuring split options. Am I correct in these assumptions? Has anyone ever tackled this problem? I was pretty excited in the thought of implementing Anyconnect but it seems that the VPN routing options make it a non-option for us as we definitely need two different profiles for our users (1 split tunnel, 1 non-split tunnel).
... View more
Mar 4 2022
4:02 AM
The AD account that is connecting, does it have Control access through NPS Network Policy enabled? (Account > Dial-in > Control access through NPS Network Policy). Is the account also a member of the correct group?
... View more
Mar 4 2022
3:44 AM
We have a MX64 configured with L2TP client VPN. In MX64 > Network-wide > Eventlog > VPN client connected, you can see when a VPN client connected to the MX64. Amongst other things, you'll see a MAC address in the column "Client". All these addresses start with "03:" in my MX64. What MAC address is this? It's not the MAC address of the remote client computer and also not of the remote client's computer router/modem. My best guess is that it might belong to the remote client's VPN adapter/WAN miniport but I'm not really sure. I couldn't retrieve the MAC address of the VPN adapter/WAN miniport by trying standard methods on the remote client PC (ipconfig /all, powershell, wmi). I'm kinda disappointed the eventlog doesn't appear to show the remote client's MAC address and thus making identification of physical remote devices impossible, unless I am overlooking something? Does anyone know what these MAC addresses are?
... View more
Labels:
- Labels:
-
Client VPN
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 4185 |
© 2025 Cisco Systems, Inc.
