Meraki Client Vpn Setup



Active Directory (AD) integration allows you to restrict access to the network and enforce Group Policies based on membership in Active Directory groups.

Currently, Active Directory-based authentication works only if one of the following is true:

Learn best practices for setting up Cisco Meraki Client VPN, both local authentication and active directory authentication. By using the built-in Meraki dyna. Cisco Meraki Client VPN only establishes full-tunnel connections, which will direct all client traffic through the VPN to the configured MX. As such, any content filtering, firewall or traffic shaping rules will apply to the VPN client's outbound traffic. Meraki VPN Client Setup. This short and sweet script will help with setting up the Windows VPN to use with Cisco Meraki firewall/routers. You can either run it raw or it can be included in your automation to deploy workstations at scale.

  • The Domain Controller is in a VLAN configured on the appliance
  • The Domain Controller is in a subnet for which a static route is configured on the appliance
  • The Domain Controller is accessible through the VPN.

If there are multiple Domain Controllers in the domain, all of them must meet one of these criteria in order for Active Directory integration to function properly.

Note: The information listed here should be used as a general operating system configuration guideline. Your specific options and menus may differ depending on the version of Windows Server deployed.

Integrating with Group Policies

A Group Policy in the Dashboard is a set of bandwidth limits, traffic shaping and firewall rules, security filtering, and content filtering settings that can be applied on a per client basis.

Note: Cisco Meraki Active Directory-Based Group Policy on the MX should not be confused with Microsoft Active Directory Group Policy as they are in no way related.

Traffic Flow

The MX utilizes Microsoft's Windows Management Instrumentation (WMI) service to pull a continuous stream of Logon Security Events from specified Domain Controllers in the Active Directory domain. These security events have critical information that tells the MX which user accounts are logged into which computers. Specifically, the events contain the IP address of the computer and the Windows username of the logged on user.

The MX will run through the following steps to identify AD group members and apply associated group policies:

  1. MX securely contacts the specified Domain Controllers for the AD domain, using TLS
  2. MX reads WMI logon events from the DC's security events, to determine which users are logged into which devices.
  3. MX binds to DCs using LDAP/TLS to gather each user's AD group membership.
  4. Group membership is added to a database on the MX.
  5. If a domain user's group membership matches an AD group policy mapping in Dashboard, the MX can apply the associated group policy to the user's computer.

Because the MX is continuously gathering this information from the domain controllers, it is able to accurately apply the policy in real-time whenever a new user logs in.

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Benefits of Active Directory Integration

By using Microsoft WMI and standards-based LDAP to interact with the Active Directory network infrastructure, the MX can do real-time Active Directory-based Group Policy assignment without the need to install or maintain any agent software on local Active Directory Domain Controllers.

Configuration Overview

The following steps outline the required configuration (both in Dashboard and Active Directory) to allow for AD-based group policy application. Please be sure to follow each step as accurately as possible, errors can be difficult to diagnose and resolve.

NOTE: Multiple Language Server Support

The support to query Microsoft Active Directory servers configured for non-English languages is presently not supported.

This functionality is currently under consideration by the Product and Engineering teams. We do not have an ETA on implementation.

Create an Active Directory Site

In Active Directory, Domain Controllers are placed into sites. Sites are assigned IP subnets. Domain users and computers authenticate with Domain Controllers located in the site (IP subnet) for which they reside. Each authentication generates a logon entry within the Domain Controllers Security Event Log. Because the MX uses these Security Events to determine which users are logged onto which computers, all of the Domain Controllers that service logons in an Active Directory site whose IP subnets also correspond to the subnets configured on the MX must be added to Dashboard.

In the example below, the MX has the following IP subnets 10.0.0.0/24 and 192.168.0.0/24 configured under Addressing & VLANs. Active Directory sites need to be applied to both subnets.

Both IP subnets on the MX, are members of the Active Directory site named 'Default-First-Site-Name' (shown below). Therefore, the IP addresses of servers DC1, DC1-UK, DC2, SE-Test, and WIN-K7346GNLZ29 located in this site must be added to Dashboard on the Active Directory page in Dashboard.

Enable Security Auditing on Active Directory Domain Controllers

Explanation

When Active Directory Group Policy is enabled, the MX pulls a continuous stream of Security Events from Windows Active Directory Domain Controllers. Using Logon Events (540 and 4624) and Account Logon Events (672 and 4768) specifically, the MX can determine which domain users are logged into which domain computers and what the IP address of those computers are. This information is then coupled with the users Group Membership retrieved from an LDAP/TLS lookup and the IP address or MAC address of the computer learned via Cisco / Meraki client detection. By combining these pieces of information, the appropriate filtering policy can be applied transparently in real-time to each computer based on the currently logged on user. If Domain Controllers specified in Dashboard do not have Security Auditing enabled, the MX will not be able to associate users to computers transparently. To ensure that a Domain Controller is configured to audit successful Logon and Account Logon Events, enable this logging using the Default Domain Controller Policy or Local Computer Policy for Domain Controllers in your domain.

Configuration
  1. On the Domain Controller, open the Local Computer Policy using gpedit.msc.
  2. Navigate to Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy.
  3. Confirm that 'Audit Account Logon Events' and 'Audit Logon Events' is set to 'Success' as shown in this image:

Note: If these auditing entries are not set to log Success events and the option to edit it is greyed out, then this setting is defined by Domain Group Policy, and you will need to modify this at the Domain level instead. This setting can be found by opening the applicable Group Policy in the server's Group Policy Management Editor and navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy. If further issues are encountered, please refer to Microsoft's documentation for assistance:

Enable the Global Catalog Role on Each Domain Controller

In order for a Domain Controller to maintain the logon events used by the MX for user/group identification, it must be running the Global Catalog Role. As such, a required configuration step is to enable the Global Catalog Role for each Domain Controller that the MX will be polling.

Please refer to official Microsoft documentation for specific configuration steps.

Install a Digital Certificate on Each Domain Controller

In order to communicate with a Domain Controller, the MX security appliance will need to establish Transport-Layer Security (TLS) so all communication between the MX and Active Directory will be encrypted. As a prerequisite to TLS, the MX will need to verify the identity of the Domain Controller. This is done with certificate validation.

An existing certificate can be used on the Domain Controller (so long as it meets the requisite requirements for TLS), or a self-signed certificate can be created on the server.

Certificate Requirements for TLS

The following notes describe certificate parameters used in Windows Server, but can be generalized for any certificate's parameters.

Under the General tab, check for the following attributes:

Setting Up Vpn On Meraki

  • The server must have the corresponding private key. To verify that the private key exists, view the General tab of the certificate and verify that you see the following message: 'You have a private key that corresponds to this certificate'.
  • Verify that the following statement appears: 'This certificate is intended for the following purpose(s): Proves your identity to a remote computer'.
  • Check that the certificate is still valid, based on the 'Valid from' values.

Under the Details tab:

  • The Version value must contain 'v3', indicating that it is an X.509 Version 3 certificate.
  • The Enhanced Key Usage value must contain the Server Authentication certificate purpose (OID '1.3.6.1.5.5.7.3.1').
  • The Subject value must contain the Fully Qualified Domain Name of the RADIUS server or Active Directory server, e.g. myserver.mydomain.com.
  • The Public key value should be set to 'RSA (2048 Bits)'.
  • The 'Subject Alternative Name' value must contain the syntax 'DNS Name=myserver.mydomain.com' where the the DNS name is the Fully Qualified Domain Name of your server. This is especially important when using an Active Directory-based PKI.
  • The Key usage must contain the 'Digital Signature' and 'Key Encipherment' values.
    Note: In Server 2012, this option may be available as 'Data Encipherment.'

Create Groups in Active Directory

Since the MX will be mapping Active Directory groups to its own group policies, the appropriate groups will have to be created in Active Directory.

Please refer to official Microsoft documentation for specific configuration steps.

Add Users to Groups in Active Directory

When a user logs on to a domain, the logon event will include both user information and group membership. Since this group membership defines which Dashboard group policy will be applied, it is important to ensure that users are added to the appropriate groups in Active Directory.

Please refer to official Microsoft documentation for specific configuration steps.

Configure Group Policies in Dashboard

A group policy in Dashboard will determine the custom network rules and regulations that will apply to users with that policy. This can include custom bandwidth limits, more or less restrictive content filtering rules, custom access to subnets, etc.

Please refer to our documentation for more information about configuring Dashboard group policies.

Configure Active Directory Authentication in Dashboard

The following instructions explain how to add Active Directory servers to Dashboard and enable AD authentication for network clients.

  1. Log into Dashboard and navigate to Security & SD-WAN > Configure > Active Directory.
  2. From the Active Directory drop-down, select Authenticate users with Active Directory.
  3. For Per-VLAN settings choose to Require logon via splash or Default to network-wide settings (Use global settings). Enabling logon via splash will prompt network users with a splash page where they will log in with their domain credentials, but is not a prerequisite to group policy integration.
    In our example below, we are requiring splash logon for the data VLAN and network defaults for the server VLAN.

Note: The MX AD splash page authorization expires after 2 days or if AD detects a new logon event on the client. The clear authorization button on the client list does not clear the AD splash page authorization on the MX.

  1. For Active Directory Servers, click Add an Active Directory domain server. Remember to add all Domain Controllers that are responsible for the sites/subnets that the MX handles. In our example below, we added all 5 Domain Controllers located in our Active Directory site.
  2. To add an Active Directory server, enter the following information:
    1. Short Domain: Short name of the domain (a.k.a., NetBIOS name), as opposed to the fully qualified domain name (FQDN). Typically if the FQDN is 'mx.meraki.com', the short domain is 'mx'.
    2. Server IP: The IP address of the domain controller.
    3. Domain admin: A domain administrator account that the MX can use to query the AD server.
    4. Password: The password of the domain administrator account.
Meraki Client Vpn Setup

Note: Unicode characters in usernames and passwords are not currently supported.

Setup

User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI
  1. Click the Save changes button.

Create LDAP Group to Group Policy Mappings in Dashboard

Meraki Client Vpn Setup

Once Active Directory has been successfully integrated on the MX, the following steps outline how to map Dashboard group policies to groups in AD:

  1. In Dashboard, navigate to Security & SD-WAN > Configure > Active Directory > LDAP policies.
  2. Click the Refresh LDAP Groups button to pull LDAP groups from the configured Active Directory servers based on the domain credentials provided in the dashboard.

Note: Policy mappings in Dashboard are done based on the FQDN of the group policy object in Active Directory. If the OU of any object in the FQDN path changes, the group policy mapping will need to be re-added in Dashboard.

  1. Under Groups, select the LDAP group, and under Policy select the appropriate group policy for that LDAP group.
  2. Click Save Changes at the bottom of the page.

If a user is part of more than one group specified in a Group Policy mapping the first group in the list is applied, they will not receive a combination of both policies. For example, in the screenshot below, if a user was part of both staff and executives they would be mapped to staff and only receive the policy configured as the staff policy:

Note: Active Directory group policy does not support group nesting or policy overlapping. If a domain user is a member of an AD group (e.g. staff), and that group is contained within another group that has a Group Policy mapping (e.g. executives), the mapped policy (executives) will not be applied to the user.

The best practice for deploying Active Directory-based group policy is to add users to a single AD group which is mapped to a single group policy. In the example below, a company has different security levels for its executives and staff. A user Bob is a staff member and Billy is an executive. In this case, the company creates two AD groups, staff and executives. Bob is added to the staff group and Billy the executives group. Therefore Bob receives the policy applied by staff and Billy the policy from executives:

An MX appliance must be configured in Passthrough mode when Active Directory-based content filtering is desired and the Active Directory domain controllers are located upstream or across an MPLS. Additional information on the traffic flow and the reason for this required configuration is explained below.

Passthrough Mode Configuration

To support Active Directory Group Policy mappings when Active Directory servers are located across an MPLS, the MX Security Appliance must be placed in Passthrough mode. This can be accomplished by going to Security & SD-WAN > Configure > Addressing & VLANs on the Cisco Meraki Dashboard and selecting the option for Passthrough or VPN Concentrator.

In this mode, the MX Security Appliance acts as a layer 2 bridge and does not modify the source address of traffic that traverses the WAN uplink. This configuration allows the MX to query the security logs, obtain an end-user's account name and associated device IP address, and apply the corresponding group policy.

Routed Mode Configuration

When an MX Security Appliance is configured for Routed mode and Active Directory Domain Controllers are located across an MPLS, authentication requests will traverse the MX WAN uplink. When this uplink traversal occurs, a NAT translation takes place and the source IP will be modified from the user's client device IP address to the WAN IP address of the MX Security Appliance.

In this scenario, the Active Directory security logs will contain the IP address of the MX Security Appliance, rather than the IP address of the end-user's device. This prevents the MX from knowing which device to apply the identity-based content filtering policies. Because of this, a Routed mode configuration will not support Active Directory-based group policies.

Integrating with Client VPN

The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN, so a client will be required to provide domain credentials in order to connect via VPN.

Traffic Flow

When a user attempts to connect to Client VPN, the following process occurs:

  1. The user's device attempts to establish a VPN tunnel using L2TP over IP.
  2. The user provides their valid domain credentials.
  3. The MX, from its LAN IP, queries the Global Catalog over TCP port 3268 (encrypted using TLS) to the AD server configured in Dashboard.
  4. If the user's credentials are valid, the AD server will send its response to the MX, completing authentication.
  5. The MX offers the client an IP configuration on the Client VPN subnet, and the client can start communicating on the network.

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Configuration Overview

In order to configure Active Directory authentication for Client VPN, configuration steps must be completed on both Dashboard and Active Directory, outlined below:

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:

  • Every AD server specified in Dashboard must hold the Global Catalog role.
  • Since communication between the MX and AD server will be encrypted using TLS, a valid certificate with the appropriate parameters must be configured on the server.
    • If no certificate is present, it will be necessary to install a Self-Signed certificate.
    • If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.
  • The MX will communicate from its LAN IP with each AD server over TCP port 3268, ensure that no firewalls or ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

Dashboard Configuration

Once the AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication for Client VPN:

  1. In Dashboard, navigate to Security & SD-WAN > Configure > Client VPN
  2. If Client VPN has not yet been enabled, please refer to our Client VPN documentation for info on initial configuration.

Note: In order for Client VPN users to be able to resolve internal DNS entries, the Custom nameservers option should be configured with an internal DNS server. The server's firewall may need to be adjusted to allow queries from the Client VPN subnet, and best practices dictate that a public DNS server should be listed as a secondary option.

  1. Set Authentication to Active Directory.
  2. Under Active Directory server, provide the short domain name and server IP, as well as the credentials for an AD domain admin.

Note: If the credentials provided do not have domain admin permissions, the MX will be unable to query the AD server.

  1. Click Save Changes.

Client Configuration

Clients can use their native VPN client to connect to Client VPN, with or without Active Directory.

Please refer to our Client VPN documentation for OS-specific configuration steps.

(Optional) Client Scoping

Due to the nature of Active Directory authentication for Client VPN, all domain users will be able to authenticate and connect to Client VPN. There is no Dashboard-native way to limit which users can authenticate, however, there is a workaround in Active Directory that allows the scope of users to be limited by specifying a domain administrator with limited group visibility.

The following article outlines how to configure this workaround for wireless networks, but the same principles can be applied to Client VPN: Scoping Active Directory per SSID

Note: This configuration is entirely reliant on Active Directory. Depending on how domain groups are managed, this may not work some environments - please refer to Microsoft documentation and support for assistance with Active Directory configuration.

User permissions for AD integration

While the AD integration account does not have to be a domain admin, it is usually the easiest way to implement this feature. If using a domain admin account is not possible or not preferable, ensure that the account has the necessary permissions to perform the following actions:

  • Query the user database via LDAP
  • Query group membership via LDAP
  • Query the domain controller via WMI

Testing

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.

Please reference Microsoft documentation for error code details and troubleshooting assistance.

Additional Resources

Setup

For more information about both Client VPN and Active Directory integration, please refer to the following articles:

This page provides instructions for configuring client VPN services through the Dashboard.

For detailed instructions on how to configure a client VPN connection on various client device platforms, please refer to:

Client VPN

The client VPN service uses the L2TP tunneling protocol and can be deployed without any additional software on PCs, Macs, iOS devices, and Android devices, since all of these operating systems natively support L2TP VPN connections.

Note: TLS (SSL) Client VPN is supported on the MX with AnyConnect. To learn more, see AnyConnect on the MX

Note: Linux-based operating systems can support client VPN connections as well, although third-party packages may be necessary to support L2TP/IP.

Note: Establishing a client VPN connection when the client is located on the LAN of the MX is unsupported.

Encryption Method

Client VPN uses the L2TP/IP protocol, with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Owing to changes in the PCI-DSS Standard version 3.2.1, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2.1).

Client VPN Server Settings

To enable Client VPN, choose Enabled from the Client VPN server pulldown menu on the Security Appliance > Configure > Client VPN page. The following Client VPN options can be configured:

  • Client VPN Subnet: The subnet that will be used for Client VPN connections. This should be a private subnet that is not in use anywhere else in the network. The MX will be the default gateway on this subnet and will route traffic to and from this subnet.
  • Hostname: This is the hostname of the MX that Client VPN users will use to connect. This hostname is a DDNS host record correlating to the Public IP address of the MX. You can change this hostname by following the instructions here.
  • DNS server: The servers VPN Clients will use to resolve DNS hostnames. Chose from Google Public DNS, OpenDNS, or specifying custom DNS servers by IP address.
  • WINS server: If VPN clients should use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.
  • Shared secret: The shared secret that will be used to establish the Client VPN connection.
  • Authentication: How VPN Clients will be authenticated (see below).
  • Systems Manager Sentry VPN security: Configuration settings for whether devices enrolled in systems manager should receive a configuration to connect to the Client VPN (see below Systems Manager Sentry VPN Security section).

Authentication

Meraki Vmx100 Client Vpn Setup

Meraki Client VPN uses the Password Authentication Protocol (PAP) to transmit and authenticate credentials. PAP authentication is always transmitted inside an IPsec tunnel between the client device and the MX security appliance using strong encryption. User credentials are never transmitted in clear text over the WAN or the LAN. An attacker sniffing on the network will never see user credentials because PAP is the inner authentication mechanism used inside the encrypted IPsec tunnel.

The authentication itself can be performed by using these three options: the Meraki cloud, RADIUS, or Active Directory. Below, the three options are discussed.

Meraki Client Vpn Setup Windows

Meraki Cloud Authentication

Meraki Mx64 Client Vpn Setup

Use this option if an Active Directory or RADIUS server is not available, or if VPN users should be managed via the Meraki cloud. To add or remove users, use the User Management section at the bottom of the page. Add a user by clicking 'Add new user' and entering the following information:

  • Name: Enter the user's name.
  • Email: Enter the user's email address.
  • Password: Enter a password for the user or click 'Generate' to automatically generate a password.
  • Authorized: Select whether this user is authorized to use the Client VPN.

To edit an existing user, click on the user under the User Management section. To delete a user, click the X next to the user on the right side of the user list.

When using Meraki hosted authentication, the user's email address is the username that is used for authentication.

RADIUS

Use this option to authenticate users on a RADIUS server. Click Add a RADIUS server to configure the server(s) to use. Enter in the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.

For more information on how to configure Radius authentication for Client VPN, refer to the documentation on Configuring RADIUS Authentication with Client VPN.

Note: If multiple RADIUS servers are configured, RADIUS traffic will not be load balanced.

Active Directory

Use this option if user authentication should be done with Active Directory domain credentials. You will need to provide the following information:

Mx100
  • Short domain: The short name of the Active Directory domain.
  • Server IP: The IP address of an Active Directory server on the MX LAN or a remote subnet routable through AutoVPN.
  • Domain admin: The domain administrator account the MX should use to query the server.
  • Password: Password for the domain administrator account.

For example, considering the following scenario: Users in the domain test.company.com should be authenticated using an Active Directory server with IP 172.16.1.10. Users normally log into the domain using the format 'test/username' and you have created a domain administrator account with the username 'vpnadmin' and the password 'vpnpassword'.

  • The Short domain would be 'test'.
  • The Server IP would be 172.16.1.10.
  • The Domain admin would be 'vpnadmin'.
  • The Password would be 'vpnpassword'.

Refer to the Active Directory documentation for more information about integrating AD with Client VPN.

Note: At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Setting

Systems Manager Sentry VPN Security

When using Meraki cloud authentication, Systems Manager Sentry VPN security can be configured If your Dashboard organization contains one or more MDM networks. Systems Manager Sentry VPN security allows for devices enrolled in Systems Manager to receive the configuration to connect to the Client VPN through the Systems Manager profile on the device.

To enable Systems Manager Sentry VPN security, choose Enabled from the Client VPN server pulldown menu on the Security Appliance > Configure > Client VPN page. You can configure the following options:

  • Install Scope: The install scope allows for a selection of Systems Manager tags for a particular MDM network. Devices with these tags applied in a Systems Manager network will receive a configuration to connect to this network's Client VPN server through their Systems Manager profile.
  • Send All Traffic: Select whether all client traffic should be sent to the MX.
  • Proxy: Whether a proxy should be used for this VPN connection. This can be set to automatic, manual, or disabled

When using Systems Manager Sentry VPN security, the username and password used to connect to the client VPN are generated by the Meraki cloud.

Usernames are generated based on a hash of a unique identifier on the device and the username of that device. Passwords are randomly generated.

Client VPN Connections

After configuring Client VPN and users are starting to connect, it may be useful to see how many and what client devices are connected to your network via Client VPN. To see connected Client VPN devices, navigate to Network-wide > Clients > click the dropdown icon on the Search clients... search bar > make sure to select Client VPN and either Online, Offline or both.

Group Policies

It is possible to manually apply group policies to clients connected via Client VPN. Group Policy applied to a client VPN user is associated with the username and not the device. Different devices that connect to Client VPN with the same username will receive the same group policy. For more help on assigning or removing group policies applied to a client, refer to the Creating and Applying Group Policies document.

Note: It is not possible to assign group policies automatically once a user connects to Client VPN.

FAQs Page

If further guidance is required, please feel free to visit the FAQs page built into Client VPN page (Security Appliance > Configure > Client VPN > FAQs). The FAQs contain answers and links (KB Articles and Dashboard pages) to the most common Client VPN inquiries. Below is a snippet of the FAQs page.

Cisco Meraki Client Vpn Setup