Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lmorel
lmorel
Here to help
Member since Feb 23, 2020
03-14-2021
Community Record
11
Posts
4
Kudos
0
Solutions
Badges
02-11-2021
02:01 PM
1 Kudo
Yeah, I regret not taking a screenshot. They locked it down shortly after. It's funny, I asked my Meraki sales rep and his engineer about it and forwarded the link. Then I implied that it was getting frustrating that here we go once again, getting some new info that might be conflicting with everything else we hear or read so far. The engineer came back the next day with a "hey, I can't even access this link!". And I thought he was messing with me only to realize they locked it down and even he couldn't access the info.............. dude, for real. ???
... View more
09-02-2020
11:35 AM
Thank you very much @SoCalRacer ! I checked and confirmed their subnets didn't conflict with anything. They are traveling right now. Used Comcast in California at home and using Spectrum right now in NC. I do not routers specifics. I also tried myself right now and ran into same issue through AT&T fiber and also tested through AT&T wireless and hotspot. So getting consistently same problem/behavior. I am going to revert to 14.42. Should I call support in case it is a setting they can adjust manually under beta or don't even bother?
... View more
09-02-2020
10:40 AM
Thank you @SoCalRacer ! I could definitely try that. I was just wondering if that is something others have ever experienced. I remember running into that over 15 years ago through an ASA and AnyConnect only allowing one connection at a time from a VPN client and we could change that setting/value. I can't remember the details. But I guess our workforce has been working in the office most of the time in the last 4 years since we became Meraki customers and this is a "new" one right now. If anyone else has any input or suggestions, please let me know or share this here. I will try to revert to stable firmware this coming weekend.
... View more
09-02-2020
08:59 AM
I apologize in advance if this is a super dumb question. But I have a married WFH from same location and they can only connect one at a time. 2 separate laptops (assigned individually), Windows 10, built-in VPN client, full tunnel and RADIUS with AD. I actually watched the consistent behavior while I was pinging continuously. I had the Wife connected, pinging her VPN client IP, all fine. Then her Husband started to connect, showing as "Connecting..." while it seems to be in that state for a while and I can see his Wife's VPN IP immediately and fully dropping packets but NOT disconnecting. After what seems to be 20-30 seconds, the Husband gets the red error message about "The network connection between your computer and the VPN server.... (firewalls, NAT,...)". Right then I can see that the successful pinging is resuming on the Wife's laptop. If I have her disconnect and her husband connects, the reverse is also happening when she tries to connect and is already connected, consistently. As if the MX250 (running beta 15.34) only accepts one VPN client at a time from that public IP address where the married couple is located. Any suggestions or ideas?
... View more
08-04-2020
09:54 PM
@Bsalami Curious since this is still a unicorn right about now: what kind of MFA support should we be expecting once the AnyConnect client is released? Or anyone who might be evaluating the beta AnyConnect client on a MX, would you care to share how you can handle MFA for Client VPN access? After all, Duo Security was acquired by Cisco. Just like Meraki....................................... It would be amazing if we could get some decent updates around here. I already complained to my Meraki rep about the serious lack of communication from Meraki to the masses. In comparison, it almost makes the White House look like masters in public relations in the last 6 months over anything that is COVID19 related......
... View more
03-25-2020
08:19 AM
Once enabled by support in the closed beta, is it a all or nothing type of feature or an additional option and you can have mix and match versions of VPN client configs (meraki cloud, AD, Radius, etc)? (apologies in advance if I didn't use the proper terminology).
... View more
03-12-2020
08:13 PM
3 Kudos
Was told today same thing. I am getting an additional MX through SHI and my account manager was going back and forth with his Meraki point of contact. Then I remembered this thread so I asked him about AnyConnect. He came back and said that he was told AnyConnect is in beta and release should be late spring. Exciting news to say the least. So the real question is: has anyone taken a 4K picture of Big Foot yet?
... View more
02-24-2020
08:44 PM
Out of curiosity, and not saying AlwaysOnVPN is on the table yet, but should I be considering this as another option and move in a different direction/approach? Or should I make a wish and ask Meraki to add support for Machine Groups under NPS to add it as a condition to confirm any PC connecting via VPN is an authorized AD joined device? (as opposed to just use the Windows Groups as a condition). I know, wishful thinking.
... View more
02-23-2020
08:55 PM
@PhilipDAth Thank you very much! Since I am not in a hurry and provided there will be some new development regarding AnyConnect around may 2020 (I know, I know...), would that change things a bit for my risk profile and how to approach this? Meaning, should I wait and rethink as far as access control goes (zero trust and still using my MX84 for VPN client access)? @Nash I would like to apologize, that was rude of me to make assumptions. Thank you @PhilipDAth for correcting me.
... View more
02-23-2020
04:12 PM
We have a MX84. Running 15.26 at the moment. It is also enabled for Client VPN service, AD and RADIUS, all implemented by using Meraki documentation off their website. It's working, except for the occasional broken UI in Windows 10 (showing as "Connecting...." but doesn't connect) when a user try to connect via VPN and we end up opening the VPN full menu in Action Center and connect fine from there. It is what it is and hoping for AnyConnect support soon (May 2020 from what I've read on another post around here???) With that said, I am trying to verify who's who when my user connect via Client VPN. I know RADIUS is in place and works as designed, but if for some reasons the preshared key is stolen/compromised for that VPN profile AND one of my users credentials are compromised as well, anyone can recreate this VPN connection and get into our network. It might be a lot of "if"s for some and unacceptable for others. What would you do? I looked into Duo and I am supposed to have a conf call with them tomorrow. I looked at Okta (combined with ScaleFT ?), SaaSPass, etc. So I know I could use MFA. We only use Office 365 E3 as "other online services". I could use MFA there for "free" and spend a little bit of money with Duo for the client VPN. Or is there another way to approach this? What if I can find a way to make my device a zero trust device. Meaning I would have a way to trust my device and not even bother my users with MFA challenge? We had stolen laptops before and users report them stolen ASAP. I can see that could be a problem but "hoping" the users wouldn't put their password on a post-it with that stolen password. I know, wishful thinking. But in the end, what to do. Why not MFA with Duo, you ask? Because some of my users are just not there (I know they should). So I am trying really hard to design a system where I would rely on zero trust (so I trust my joined AD devices) as a condition, the user AD credentials, the client VPN with preshared secret, RADIUS and my MX84. Correct me if I'm wrong, the RADIUS setup for Meraki Client VPN is to control a group of users in AD who will be permitted to use/connect to the corporate group, but not to control what PC will be accessing that same corporate network? I also saw a post around here from @Nash and his excellent script. What caught my eye was "Prevent Windows from authenticating to network resources with the VPN credential.". I guess that's super important based on what I am discussing here and trying to get a better grip on security. I can use my VPN profile and quickly set up an android phone that has no relationship whatsoever with my AD and corporate network, yet it connects just fine. Or use a freshly loaded Windows 10 laptop, NOT part of AD, just WORKGROUP and also connects just fine. Meaning they are passed my firewall and possible chaos would ensue. I am also trying out the Enterprise Mobility + Security E3 (https://www.microsoft.com/en-us/licensing/product-licensing/enterprise-mobility-security) and I have an Intune Connector for Active Directory configured on one of my server for on-premise AD. I apologize for the long and possibly confusing post. I am poking around and just trying to make sense out of all of this. I think I would be happy if I could have my system verify the device trying to connect to my VPN is actually allowed to do so and bounced if it's not one of my devices. Or MFA it has to be....
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 24877 | |
| 1 | 1538 |
