Meraki Setup Client Vpn

02-05-2021
 |  [RAND-100] - Comments



The purpose of this article is to demonstrate how to configure VPN settings through Systems Manager (SM).

A Virtual Private Network ( or VPN) is used to allow secure, remote connection and access to a network. Systems Manager can be used to automatically push the VPN settings to managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices. Within SM, a VPN connection can be configured manually, or with the addition of a MX Security Appliance or Cisco Meraki Concentrator in the same Dashboard organization, configured automatically. Automatically importing the VPN settings from the MX or Concentrator network will not only greatly simplify the configuration process, it will also prevent any typo errors in the VPN settings.

Note: Deploying VPN settings via SM is available for iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices.

The client VPN subnet is 10.1.2.0/24 the subnet it cannot access is 192.168.10.0/24 which is a voice network, I am trying to setup softphones for some teleworkers and have had zero luck with this. Makes no sense as I have nothing blocking accessing that subnet, pcap's haven't helped much either. Cisco Meraki uses the integrated Windows client for VPN connection (no Cisco client at this time). To be able to connect with simple AD user account credentials, along with.

More Information: Configuring client VPN.

More Information: For detailed information on how to create and deploy SM configuration profiles to different groups of managed devices, please consult this article.

Sentry VPN on Meraki MX-Z Devices

Sentry VPN Security allows you to define a tag-scope to receive a Dynamically generated VPN Configuration from the Security appliance > Configure > Client VPN page, and configured by selecting the appropriate tag scoping for your SM devices:

Sentry Configuration for VPN in Systems Manager

This option uses the Cisco Meraki cloud to automatically configure a VPN connection to a MX Security Appliance or VM Concentrator added in the same Dashboard Organization as the Systems Manager network.

  1. Navigate to the Systems Manager > Manage > Settings page.
  2. Select the VPN tab.
  3. Configuration: Select Sentry.
  4. Security Appliance: Select the Dashboard network (MX or Concentrator) that contains the desired VPN connection.
  5. Auth type: If choosing Specify account, a prompt to specify the name of the user account for authenticating the connection will appear. If Use device identity is selected, Dashboard will automatically generate and use unique identifying credentials for each device when connecting to the MX VPN.
  6. Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional).

The following screenshot displays an example of how to set up the Sentry VPN connection:

Manual Configuration

This option allows you to manually configure VPN settings. The supported and configurable manual VPN protocols are L2TP, PPTP, IPsec (Cisco), and Cisco AnyConnect.

  1. Navigate to the Systems Manager > Manage > Settings page.
  2. Select the VPN tab.
  3. Configuration: Choose Manual.
  4. Connection Name: Input a name for the VPN connection that will be displayed on the iOS device.
  5. Connection Type: Select either L2TP, PPTP, or IPsec (Cisco).
  6. Sever: Input the public IP address of the VPN server.
  7. Shared Secret (L2TP Only): Input the shared secret for the VPN connection.
  8. User Authentication: Select the user authentication method. Choosing Password allows the device user to be prompted for a password when using the VPN connection.
  9. Account: Specify the name of the user account used for authenticating the connection (e.g., DOMAINusername, or username@domain.tld).
  10. Group Name (AnyConnect Only): Specifies the group in which the AnyConnect Account resides).
  11. Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional).
  12. Proxy Setup: Configure a proxy to be used with the connection (Optional).

The following screenshot displays an example of how to setup the Manual VPN connection. Settings vary depending on the VPN connection type.

Systems Manager can be used to push VPN configuration settings to remotely managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices. Adding a MX or Concentrator network to the Dashboard Organization can greatly simplify the configuration process by importing the VPN settings, and automatically updating them if any changes are made. Once the managed devices are able to check-in with SM, the VPN connection profile payload will install and be available for the device user to select.

Cisco AnyConnect and AnyConnect Legacy

When selecting the Cisco Anyconnect connection type, a certificate will be required to be uploaded. This certificate can be exported from the VPN endpoint device and uploaded to dashboard after clicking on the 'Add Credentials' option.

Cisco Meraki Client VPN can be configured to use a RADIUS server to authenticate remote users against an existing userbase.

This article outlines the configuration requirements for RADIUS-authenticated Client VPN, as well an example RADIUS configuration steps using Microsoft NPS on Windows Server 2008.

RADIUS Configuration

While any RADIUS server can be used, the following configuration requirements are necessary for Client VPN integration:

  • RADIUS must be configured to allow PAP (unencrypted authentication)

Note: Communication between the client and the MX will be encapsulated within IPsec, so this does not mean that client communication is unencrypted.

  • The MX/Z1's IP address must be configured on the server as a RADIUS client/authenticator, with a shared secret.

Please refer to your RADIUS server vendor's documentation for configuration specifics.

Example RADIUS Server Configuration (Windows NPS + AD)

The following example configuration outlines how to configure an existing Windows 2008 server, running Network Policy Server (NPS) alongside Active Directory:

  1. Add the MX Security Appliance as a RADIUS client on the NPS server.
  2. Configure a RADIUS Connection Request in NPS.
  3. Configure a RADIUS Network policy in NPS.

Note: This configuration assumes that NPS is already running on the Windows server. Please refer to Microsoft documentation for assistance in running NPS.

Add MX Security Appliance as RADIUS clients on the NPS server

In order for the MX to act as an authenticator for RADIUS, it must be added as a client on NPS.

  1. Open the NPS Server Console by going to Start > Programs > Administrative Tools > Network Policy Server.
  2. In the Left pane, expand the RADIUS Clients and Servers option.
  3. Right-click the RADIUS Clients option and select New.
  4. Enter a Friendly Name for the MX Security Appliance or Z1 Teleworker Gateway RADIUS Client.
  5. Enter the IP Address of your MX Security Appliance or Z1 Teleworker Gateway. This IP will differ depending on where the RADIUS server is located:
    • On a local subnet - Use the IP address of the MX/Z1 on the subnet shared with the RADIUS server.
    • Over a static route - Use the IP address of the MX/Z1 on the subnet shared with the next hop.
    • Over VPN - Use the IP address of the MX/Z1 on the highest-numbered VLAN in VPN.
  6. Create and enter a RADIUS Shared Secret (make note of this secret - we will need to add this to the Dashboard).

Note: Currently only ASCII characters are supported for RADIUS shared secrets - Unicode characters will not work correctly.

  1. Press OK when finished.

For additional information or troubleshooting assistance, please refer to Microsoft documentation.

Configure a RADIUS Connection Request

  1. In the NPS Server Console, navigate to Policies > Connection Request Policies.Right-click the Connection Request Policies folder and select New.
  2. In the Connection Request Policy Wizard, enter a Policy Name and select the Network Access Server Typeunspecified then press Next.
  3. Click Add to add conditions to your policy. Access Request messages will need to meet these conditions to be allowed access.
  4. From the list of conditions select the option for Framed-Protocol. Press Add and place a check next to the PPP option then press Ok.
  5. Click Add to add another condition and select the option for CallingStationID. Enter CLIENTVPN into the text box and press Next.
  6. On the next three pages of the wizard we will leave the default settings. Press Next on these pages to continue.
  7. Review the settings then press Finish.

Configure a RADIUS Network Policy

Configure Meraki Vpn Client

  1. In the Left pane of the NPS Server Console, right-click the Network Policies option and select New.
  2. In the Network Policy Wizard enter a Policy Name and select the Network Access Server type unspecified then press Next.
  3. Click Add to add conditions to your policy.
  4. From the list of conditions, select the option for Windows Groups. Click Add Groups and enter the name of Windows Group you would like to give Client VPN permission.
  5. Click Add to add an additional condition. Select the option for Framed Protocol, press add and check the PPP option then press Ok
  6. Click Add to add a final condition. Select the option for CallingStationID. Enter CLIENTVPN into the text box and press Next.

Note: Some versions of Windows Server require that the CallingStationID is omitted. If you are unable to establish connectivity, remove the CallingStationID and leave the field blank.

  1. Leave the default settings on the Specify Access Permission page and press Next.
  2. Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed press No to continue and press Next. For security information about using PAP click here.
  3. The next 2 pages of the wizard we will leave the default settings. Press Next on these pages to continue.
  4. Review the settings then press Finish.

Dashboard Configuration

Once a RADIUS server has been configured appropriately, the following steps outline how to configure Client VPN to use RADIUS:

  1. Log onto the Cisco Meraki Dashboard and navigate to Configure > Client VPN.
  2. Select the option to enable the Client VPN Server.
  3. Set the Client VPN Subnet. This will be a unique IP subnet offered to clients connecting to the MX Security Appliance via a Client VPN connection.
  4. Specify the DNS servers.
  5. Enter a shared secret that will be used by the client devices to establish the VPN connection.

Note: This is a different value from the RADIUS shared secret.

  1. Select RADIUS as the Authentication method.
  2. Click the Add a RADIUS Server link.
    1. Enter your RADIUS Host IP Address.
    2. Enter the RADIUS Port that the MX Security Appliance will use to communicate to the NPS server. The default port is 1812.
    3. Enter the RADIUS Shared Secret (established when the MX was added as an authenticator).
  3. Click Save changes.

Client Configuration

Meraki Setup Client Vpn Extension

Installation of additional software is not required on client devices. The Cisco Meraki Client VPN solution uses L2TP over IPsec, which is supported by almost all device's built-in native clients.

Meraki Setup Client Vpn

Please refer to our Client VPN documentation for client configuration instructions.

Additional Resources

For additional information about Client VPN, please refer to the following articles: