These devices are known as endpoints and may be laptops, tablets, or smartphones. Advances in VPN technology have allowed security checks to be conducted on endpoints to make sure they meet a certain posture before connecting. Think of remote access as computer to network. AnyConnect VPN Meraki Auto VPN Duo Security (Multi-Factor Authentication). How to configure a Non-Meraki VPN tunnel using a Cisco Meraki Security Appliance MX in the Meraki Dashboard. Cisco Meraki’s unique auto provisioning site-to-site VPN connects branches securely with complete simplicity. Using IPsec over any wide area network, the MX links your branches to headquarters as well as to one another as if connected with a virtual Ethernet cable.
AnyConnect supports authentication with either RADIUS, Active Directory, or Meraki Cloud. For more details on AnyConnect configuration, refer to the AnyConnect configuration guide.
Note: Systems Manager with Sentry is not supported with AnyConnect.
Note: SAML authentication is not supported at this time.
Re: AnyConnect for Meraki Client VPN Access? Hello All, It's been a long wait, but finally we are happy to announce that AnyConnect is now available on the Meraki MX as a public beta feature on the MX16.X firmware. No AnyConnect support on Meraki MX no problem! Use the ASAv and Meraki MX together to provide AnyConnect VPN connectivity.
Meraki Cloud Authentication
Note: IPsec must be enabled and users must be authorized on the IPsec settings tab.
Use this option if an Active Directory or RADIUS server is not available, or if VPN users should be managed via the Meraki Cloud. To add or remove users, use the User Management section at the bottom of the page. Add a user by clicking 'Add new user' and entering the following information:
Name: Enter the user's name.
Email: Enter the user's email address.
Password: Enter a password for the user or click 'Generate' to automatically generate a password.
Authorized: Select whether this user is authorized to use the client VPN.
To edit an existing user, click on the user under the User Management section. To delete a user, click the X next to the user on the right side of the user list.
When using Meraki-hosted authentication, the user's email address is the username that is used for authentication.
RADIUS
Use this option to authenticate users on a RADIUS server. Click Add a RADIUS server to configure the server(s) to use. Enter in the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.
Note: Only one RADIUS server is supported for authentication with AnyConnect today.
Add MX security appliance as RADIUS clients on the NPS server.
In order for the MX to act as an authenticator for RADIUS, it must be added as a client on NPS.
Open the NPS server console by going to Start > Programs > Administrative Tools > Network Policy Server.
In the left-side pane, expand the RADIUS Clients and Servers option.
Right-click the RADIUS Clients option and select New.
Enter a Friendly Name for the MX security appliance or Z teleworker gateway RADIUS client.
Enter the IP address of your MX security appliance or Z teleworker gateway. This IP will differ depending on where the RADIUS server is located:
On a local subnet: use the IP address of the MX/Z on the subnet shared with the RADIUS server
Over a static route: use the IP address of the MX/Z on the subnet shared with the next hop
Over VPN: use the IP address of the MX/Z on the highest-numbered VLAN in VPN
Create and enter a RADIUS Shared Secret (make note of this secret, you will need to add this to the dashboard).
Note: Currently only ASCII characters are supported for RADIUS shared secrets, unicode characters will not work correctly.
Press OK when finished.
For additional information or troubleshooting assistance, please refer to Microsoft documentation on RADIUS clients.
Configure a RADIUS Connection Request
In the NPS server console, navigate to Policies > Connection Request Policies. Right-click the Connection Request Policies folder and select New.
In the Connection Request Policy Wizard, enter a policy name and select the network access server type unspecified, then press Next.
Click Add to add conditions to your policy. Access-request messages will need to meet these conditions to be allowed access.
From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next
Press Next on the next three pages of the wizard to leave the default settings intact.
Review the settings, then press Finish.
Configure a RADIUS Network Policy.
In the left-side pane of the NPS server console, right-click theNetwork Policies option and select New.
In the Network Policy Wizard enter a policy name and select the network access server type unspecified, then press Next.
Click Add to add conditions to your policy.
From the list of conditions, select the option for Windows Groups. Click Add Groups and enter the name you would like to give client VPN permission to.
From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next.
Leave the default settings on the Specify Access Permission page and press Next.
Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed, press No to continue, and press Next. Refer to this doc for security information about using PAP.
Press Next on the next two pages of the wizard to leave the default settings intact.
Review the settings, then press Finish.
Active Directory
Use this option if user authentication should be done with Active Directory domain credentials. You will need to provide the following information:
Short domain: The short name of the Active Directory domain.
Server IP: The IP address of an Active Directory server on the MX LAN.
Domain admin: The domain administrator account the MX should use to query the server.
Password: Password for the domain administrator account.
For example, considering the following scenario: Users in the domain test.company.com should be authenticated using an Active Directory server with IP 172.16.1.10. Users normally log in to the domain using the format 'test/username' and you have created a domain administrator account with username 'vpnadmin' and password 'vpnpassword'.
The Short domain would be 'test'
The Server IP would be 172.16.1.10.
The Domain admin would be 'vpnadmin'
The Password would be 'vpnpassword'
Note: Only one AD server can be specified for authentication with AnyConnect at the moment. The MX does not support mapping group policies via Active Directory for users connecting through the client VPN. Refer to this document for more information on integrating with client VPN.
Meraki Vpn Anyconnect Download
Certificate-based authentication
The AnyConnect server on the MX supports client certificate authentication as a factor of authentication. If certificate authentication is enabled, the AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials. AnyConnect on the MX does not support certificate-only authentication at this time. Authenticating users must input credentials once certificate authentication succeeds. If certificate authentication fails, the AnyConnect client will report certificate validation failure.
Multi-Factor Authentication with RADIUS or Active Directory as a Proxy
MFA is not natively supported on the MX, however, you can configure MFA with your RADIUS or Active Directory server. The MFA challenge takes place between the RADIUS/Active Directory/Idp and the user. The MX will not pass any OTP or PINs between the user and RADIUS. The user connects to the MX and gets prompted for username and password, the MX passes credentials to the RADIUS or AD server, then the RADIUS or AD server challenges the user directly (not through the MX). The user responds to RADIUS or AD server, possibly via push notification, etc, then the RADIUS or AD server tells the MX that the user has successfully authenticated. Only then is the user allowed access to the network. Refer to this document for more information on authentication.
RADIUS Time-Out
The default RADIUS time-out is three seconds. This is how long the AnyConnect server will wait for a response from the RADIUS sever before failing over to a different RADIUS server or ignoring the response entirely. To support two-factor authentication, you can increase the RADIUS time-out by modifying the RADIUS time-out field on the AnyConnect Settings page. The configurable time-out range is 1 - 300 seconds.
The purpose of this article is to demonstrate how to configure VPN settings through Systems Manager (SM).
A Virtual Private Network ( or VPN) is used to allow secure, remote connection and access to a network. Systems Manager can be used to automatically push the VPN settings to managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices. Within SM, a VPN connection can be configured manually, or with the addition of a MX Security Appliance or Cisco Meraki Concentrator in the same Dashboard organization, configured automatically. Automatically importing the VPN settings from the MX or Concentrator network will not only greatly simplify the configuration process, it will also prevent any typo errors in the VPN settings.
Note: Deploying VPN settings via SM is available for iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices.
More Information: Configuring client VPN.
More Information: For detailed information on how to create and deploy SM configuration profiles to different groups of managed devices, please consult this article.
Sentry VPN on Meraki MX-Z Devices
Sentry VPN Security allows you to define a tag-scope to receive a Dynamically generated VPN Configuration from the Security appliance > Configure > Client VPN page, and configured by selecting the appropriate tag scoping for your SM devices:
Sentry Configuration for VPN in Systems Manager
Cisco Meraki Vpn Client
This option uses the Cisco Meraki cloud to automatically configure a VPN connection to a MX Security Appliance or VM Concentrator added in the same Dashboard Organization as the Systems Manager network.
Meraki Vpn Certificate
- Navigate to the Systems Manager > Manage > Settings page.
- Select the VPN tab.
- Configuration: Select Sentry.
- Security Appliance: Select the Dashboard network (MX or Concentrator) that contains the desired VPN connection.
- Auth type: If choosing Specify account, a prompt to specify the name of the user account for authenticating the connection will appear. If Use device identity is selected, Dashboard will automatically generate and use unique identifying credentials for each device when connecting to the MX VPN.
- Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional).
The following screenshot displays an example of how to set up the Sentry VPN connection:
Manual Configuration
This option allows you to manually configure VPN settings. The supported and configurable manual VPN protocols are L2TP, PPTP, IPsec (Cisco), and Cisco AnyConnect.
Cisco Anyconnect Vpn Meraki
- Navigate to the Systems Manager > Manage > Settings page.
- Select the VPN tab.
- Configuration: Choose Manual.
- Connection Name: Input a name for the VPN connection that will be displayed on the iOS device.
- Connection Type: Select either L2TP, PPTP, or IPsec (Cisco).
- Sever: Input the public IP address of the VPN server.
- Shared Secret (L2TP Only): Input the shared secret for the VPN connection.
- User Authentication: Select the user authentication method. Choosing Password allows the device user to be prompted for a password when using the VPN connection.
- Account: Specify the name of the user account used for authenticating the connection (e.g., DOMAINusername, or username@domain.tld).
- Group Name (AnyConnect Only): Specifies the group in which the AnyConnect Account resides).
- Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional).
- Proxy Setup: Configure a proxy to be used with the connection (Optional).
The following screenshot displays an example of how to setup the Manual VPN connection. Settings vary depending on the VPN connection type.
Meraki Anyconnect Beta
Systems Manager can be used to push VPN configuration settings to remotely managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices. Adding a MX or Concentrator network to the Dashboard Organization can greatly simplify the configuration process by importing the VPN settings, and automatically updating them if any changes are made. Once the managed devices are able to check-in with SM, the VPN connection profile payload will install and be available for the device user to select.
Meraki Mx Vpn Anyconnect
Cisco AnyConnect and AnyConnect Legacy
When selecting the Cisco Anyconnect connection type, a certificate will be required to be uploaded. This certificate can be exported from the VPN endpoint device and uploaded to dashboard after clicking on the 'Add Credentials' option.