Authenticating Meraki VPN using Cisco ISE

Cisco ISE, Configuration, VPN

Steps to authenticate VPN users connecting to Meraki MX VPN.

Configuring the Meraki MX VPN client

  1. Go to your Meraki dashboard and navigate to Security & SD-WANConfigureClient VPN.
  2. Configure the settings for your environment.
    • Enable the Client VPN Server.
    • Client VPN Subnet: Any valid subnet with enough IP addresses to handle the number of clients. I would avoid LAN overlap.
    • DNS Nameservers: Point to local LAN DNS servers if clients require access to local LAN resources by FQDN.
    • Secret: This is the secret/password used to establish the VPN tunnel. This is not the RADIUS shared secret.
    • Authentication: Set to RADIUS.
      • If no RADIUS servers are configured, you can add a RADIUS server here.
      • The default authentication port is 1812.

Meraki MX Client VPN Configuration

Configure ISE for MX VPN authentication

  1. Add the MX device as a Network Access Device (NAD) in ISE.
    • Administration > Network Resources > Network Devices > AddNetwork Devices Overview after adding MX
    • Use the management LAN IP of the MX.
    • For this example, I created a Network Device Group called Firewalls. The MX64 was added to this group.
    • Make sure to use the same RADIUS secret here as you did in the RADIUS server configuration on the Meraki dashboard.Network device configuration in ISE for MX
  2. Create the Policy Set to use for client authentication and authorization.
    • Policy > Policy Sets > Click the plus (+) sign in the top-left
    • The conditions for the policy set are:
      DEVICE·Device Type Equals All Device Types#Firewall
      Radius·Framed-Protocol Equals PPP
    • This example is using Default Network Access for the Allowed Protocols. You can narrow it down to a custom protocol list that only includes PAP_ASCII.
      ISE Meraki VPN policy set summary
  3. Modify authentication and authorization settings.
    • Authentication: I am using AD to authenticate the users so only the SecDemo AD join is being used. The AD user group was added under Administration > Identity Management > External Identity Sources > Active Directory > [AD Join] > Groups.
    • Authorization: Only user accounts belonging to the VPN Users AD group are permitted access. All others are denied access.
      ISE Meraki VPN policy set configuration

Configure your client and test

At this time, the Meraki VPN only supports L2TP over IPsec for client authentication. You can find a full list of client configuration steps on the Meraki Client VPN OS Configuration site. I used the Mac OS configuration for my lab test.

OSX Meraki MX vpn connected

The first user account I tested (screenshot above) was successful because they belong to the VPN Users AD group. The user account that failed did not belong to the correct AD group.
ISE Live Log showing Meraki VPN authentications
Note that the Endpoint ID will always show CLIENTVPN.

Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *