Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lmorel
lmorel
Here to help
Member since Feb 23, 2020
07-06-2022
Community Record
19
Posts
4
Kudos
0
Solutions
Badges
03-01-2022
11:17 AM
So I double-checked that I didn't use the Profile Update on the MX for the AnyConnect client. It was disabled. So I decided to upload that profile.xml file with the settings I mentioned in the original post. And what do you know. It works now and the settings are properly showing the chosen options. I will monitor how the Disable Captive Portal Detection option behave.
... View more
03-01-2022
11:05 AM
OK, so I noticed under the Options of the client, I am seeing that the "Disable Captive Portal Detection" option is unchecked (value is "true" in xml file, not false...) and present ( = but User Controllable is set to false in xml file). I am not sure I understand why these values are not observed though. That would explain why I am having those pop-ups then....
... View more
02-28-2022
12:45 PM
I am testing AnyConnect and got the authentication part working well (SAML). But now I am wondering about the user experience and the AnyConnect client popping up anytime there is a change in connectivity with my wifi or ethernet connection. For example, I am in the office right now and anytime I stepped away from my desk long enough and I come back, the AnyConnect client is open with the "You may need to use a browser to gain access". Interestingly enough, my laptop is plugged in with power and set to not go to sleep. I suspect power saving changes made by Microsoft in the last few years are more aggressive and some devices go to "sleep". AnyConnect picks up on it and pops up. While this might be a small annoyance (just close it), I know my users are going to complain a lot. I thought I just needed to disable the Disable Captive Portal Detection option and I already did that. And this is what I have in my profile file: <DisableCaptivePortalDetection UserControllable="false">true</DisableCaptivePortalDetection> Other options I have currently configured in my profile file that might be relevant (or not): <AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart> <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> <AutoReconnect UserControllable="false">false</AutoReconnect> <SuspendOnConnectedStandby>false</SuspendOnConnectedStandby> <AutoUpdate UserControllable="false">true</AutoUpdate> <AutomaticVPNPolicy>true <TrustedDNSDomains>my_domain_here</TrustedDNSDomains> <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy> <UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy> <AlwaysOn>false </AlwaysOn> </AutomaticVPNPolicy>
... View more
Labels:
- Labels:
-
Client VPN
02-27-2022
06:10 PM
Thank you! I also saw others discussing this topic for ASAs and SAML. I can't find that link right now though.
... View more
02-24-2022
03:34 PM
By design, I was wondering if anyone could confirm that the Start before log on (SBL) feature cannot work when using SAML authentication for AnyConnect. Correct?
... View more
Labels:
- Labels:
-
Azure
-
Client VPN
02-21-2022
10:12 PM
I apologize for the long delay. Thank you @PhilipDAth for the info! I have been using SAML and Conditional Access in Azure and require BOTH options of "Require Hybrid Azure AD joined device" and "MFA" to grant access. It works very well. Maybe I am still struggling to understand that Certificate Authentication option mentioned in my original post and what you explained earlier. Are you implying this is an option to use IF I use RADIUS only and to NOT use if I use SAML? Selecting the Enabled setting only allows to upload a "file". I am not an expert on the certificate side of things but a CSR of some sort would need to be used, right? I was watching a video on YouTube about the Certificate Authentication setup for Cisco ASAs, just to get an idea of the whole concept. There is evidently information to be used to and from the ASA in order to complete the setup. And by looking at the MX interface, it looks like things are "missing" or not well explained. But now I am re-reading your post and I am guessing it's not needed (or can't be used) with SAML. I used TDN in the AnyConnect profile to disconnect the client when inside the office. But that wouldn't stop the user from clicking on Connect again and still successfully connect while inside the office. So I created another Conditional Access rule to NOT grant access to an AnyConnect connection IF the user is physically located at a Trusted IP site (in the office). Works well as well as I get an Azure message telling me I cannot go past the SAML step. This should be clear enough to remind the user to stop trying.
... View more
01-16-2022
11:11 AM
I saw @PhilipDAth replied to another thread a few minutes ago and it might be related so I apologize in advance if I am creating a similar post here. I am playing with AnyConnect and using SAML as Authentication Type. Works well so far. I came across this setting about Certificate Authentication (showing as Disabled below). Would that be for when I deploy this certificate on my Windows 10 clients through GPO and Meraki checks and validate that this client is authorized to connect first then onto the SAML Azure AD authentication step? Can I use a 3rd-party certificate for this as opposed to self-signed? I found a couple of instructions for AnyConnect and SAML configuration (one simple and one detailed) off the Meraki website but I don't think this setting was explained.
... View more
01-12-2022
06:49 PM
We have been Advanced Security licensed for years and it's been good/great to us. We also use the Client VPN with Windows and been playing with AnyConnect as well. I was wondering about your opinion regarding the Advanced Security license and me thinking about routing my users through Azure point to site VPN instead of routing them back to my HQ though my MX250. I understand I will lose the ability of having their VPN traffic being "cleaned up" by the MX250 and the Advanced Security license while they WFH. I was thinking stability, better performance and Azure infrastructure in general would be better than my HQ and a single MX250 to handle my VPN users. Just thinking it would be a waste to not rely on the Advanced Security license and a lot riskier for my users and our business based on their traffic habits. We do have EDR loaded on clients.
... View more
Labels:
- Labels:
-
Azure
-
Client VPN
02-11-2021
02:01 PM
1 Kudo
Yeah, I regret not taking a screenshot. They locked it down shortly after. It's funny, I asked my Meraki sales rep and his engineer about it and forwarded the link. Then I implied that it was getting frustrating that here we go once again, getting some new info that might be conflicting with everything else we hear or read so far. The engineer came back the next day with a "hey, I can't even access this link!". And I thought he was messing with me only to realize they locked it down and even he couldn't access the info.............. dude, for real. ???
... View more
09-02-2020
11:35 AM
Thank you very much @SoCalRacer ! I checked and confirmed their subnets didn't conflict with anything. They are traveling right now. Used Comcast in California at home and using Spectrum right now in NC. I do not routers specifics. I also tried myself right now and ran into same issue through AT&T fiber and also tested through AT&T wireless and hotspot. So getting consistently same problem/behavior. I am going to revert to 14.42. Should I call support in case it is a setting they can adjust manually under beta or don't even bother?
... View more
09-02-2020
10:40 AM
Thank you @SoCalRacer ! I could definitely try that. I was just wondering if that is something others have ever experienced. I remember running into that over 15 years ago through an ASA and AnyConnect only allowing one connection at a time from a VPN client and we could change that setting/value. I can't remember the details. But I guess our workforce has been working in the office most of the time in the last 4 years since we became Meraki customers and this is a "new" one right now. If anyone else has any input or suggestions, please let me know or share this here. I will try to revert to stable firmware this coming weekend.
... View more
09-02-2020
08:59 AM
I apologize in advance if this is a super dumb question. But I have a married WFH from same location and they can only connect one at a time. 2 separate laptops (assigned individually), Windows 10, built-in VPN client, full tunnel and RADIUS with AD. I actually watched the consistent behavior while I was pinging continuously. I had the Wife connected, pinging her VPN client IP, all fine. Then her Husband started to connect, showing as "Connecting..." while it seems to be in that state for a while and I can see his Wife's VPN IP immediately and fully dropping packets but NOT disconnecting. After what seems to be 20-30 seconds, the Husband gets the red error message about "The network connection between your computer and the VPN server.... (firewalls, NAT,...)". Right then I can see that the successful pinging is resuming on the Wife's laptop. If I have her disconnect and her husband connects, the reverse is also happening when she tries to connect and is already connected, consistently. As if the MX250 (running beta 15.34) only accepts one VPN client at a time from that public IP address where the married couple is located. Any suggestions or ideas?
... View more
08-04-2020
09:54 PM
@Bsalami Curious since this is still a unicorn right about now: what kind of MFA support should we be expecting once the AnyConnect client is released? Or anyone who might be evaluating the beta AnyConnect client on a MX, would you care to share how you can handle MFA for Client VPN access? After all, Duo Security was acquired by Cisco. Just like Meraki....................................... It would be amazing if we could get some decent updates around here. I already complained to my Meraki rep about the serious lack of communication from Meraki to the masses. In comparison, it almost makes the White House look like masters in public relations in the last 6 months over anything that is COVID19 related......
... View more
03-25-2020
08:19 AM
Once enabled by support in the closed beta, is it a all or nothing type of feature or an additional option and you can have mix and match versions of VPN client configs (meraki cloud, AD, Radius, etc)? (apologies in advance if I didn't use the proper terminology).
... View more
03-12-2020
08:13 PM
3 Kudos
Was told today same thing. I am getting an additional MX through SHI and my account manager was going back and forth with his Meraki point of contact. Then I remembered this thread so I asked him about AnyConnect. He came back and said that he was told AnyConnect is in beta and release should be late spring. Exciting news to say the least. So the real question is: has anyone taken a 4K picture of Big Foot yet?
... View more
02-24-2020
08:44 PM
Out of curiosity, and not saying AlwaysOnVPN is on the table yet, but should I be considering this as another option and move in a different direction/approach? Or should I make a wish and ask Meraki to add support for Machine Groups under NPS to add it as a condition to confirm any PC connecting via VPN is an authorized AD joined device? (as opposed to just use the Windows Groups as a condition). I know, wishful thinking.
... View more
02-23-2020
08:55 PM
@PhilipDAth Thank you very much! Since I am not in a hurry and provided there will be some new development regarding AnyConnect around may 2020 (I know, I know...), would that change things a bit for my risk profile and how to approach this? Meaning, should I wait and rethink as far as access control goes (zero trust and still using my MX84 for VPN client access)? @Nash I would like to apologize, that was rude of me to make assumptions. Thank you @PhilipDAth for correcting me.
... View more
02-23-2020
04:12 PM
We have a MX84. Running 15.26 at the moment. It is also enabled for Client VPN service, AD and RADIUS, all implemented by using Meraki documentation off their website. It's working, except for the occasional broken UI in Windows 10 (showing as "Connecting...." but doesn't connect) when a user try to connect via VPN and we end up opening the VPN full menu in Action Center and connect fine from there. It is what it is and hoping for AnyConnect support soon (May 2020 from what I've read on another post around here???) With that said, I am trying to verify who's who when my user connect via Client VPN. I know RADIUS is in place and works as designed, but if for some reasons the preshared key is stolen/compromised for that VPN profile AND one of my users credentials are compromised as well, anyone can recreate this VPN connection and get into our network. It might be a lot of "if"s for some and unacceptable for others. What would you do? I looked into Duo and I am supposed to have a conf call with them tomorrow. I looked at Okta (combined with ScaleFT ?), SaaSPass, etc. So I know I could use MFA. We only use Office 365 E3 as "other online services". I could use MFA there for "free" and spend a little bit of money with Duo for the client VPN. Or is there another way to approach this? What if I can find a way to make my device a zero trust device. Meaning I would have a way to trust my device and not even bother my users with MFA challenge? We had stolen laptops before and users report them stolen ASAP. I can see that could be a problem but "hoping" the users wouldn't put their password on a post-it with that stolen password. I know, wishful thinking. But in the end, what to do. Why not MFA with Duo, you ask? Because some of my users are just not there (I know they should). So I am trying really hard to design a system where I would rely on zero trust (so I trust my joined AD devices) as a condition, the user AD credentials, the client VPN with preshared secret, RADIUS and my MX84. Correct me if I'm wrong, the RADIUS setup for Meraki Client VPN is to control a group of users in AD who will be permitted to use/connect to the corporate group, but not to control what PC will be accessing that same corporate network? I also saw a post around here from @Nash and his excellent script. What caught my eye was "Prevent Windows from authenticating to network resources with the VPN credential.". I guess that's super important based on what I am discussing here and trying to get a better grip on security. I can use my VPN profile and quickly set up an android phone that has no relationship whatsoever with my AD and corporate network, yet it connects just fine. Or use a freshly loaded Windows 10 laptop, NOT part of AD, just WORKGROUP and also connects just fine. Meaning they are passed my firewall and possible chaos would ensue. I am also trying out the Enterprise Mobility + Security E3 (https://www.microsoft.com/en-us/licensing/product-licensing/enterprise-mobility-security) and I have an Intune Connector for Active Directory configured on one of my server for on-premise AD. I apologize for the long and possibly confusing post. I am poking around and just trying to make sense out of all of this. I think I would be happy if I could have my system verify the device trying to connect to my VPN is actually allowed to do so and bounced if it's not one of my devices. Or MFA it has to be....
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 38880 | |
| 1 | 12990 |
