![cisco meraki vpn client protocol cisco meraki vpn client protocol](https://files.readme.io/c203694-Screen_Shot_2022-01-13_at_5.11.58_PM.png)
While the ASA supports a wide range of An圜onnect versions, the MX needs at least An圜onnect 4.8. But on the failure of the primary interface, the DDNS entry is updated to the IP of the secondary interface and that interface accepts the connections. Switching over took a couple of minutes which is not as good as configuring backup-servers in the profile, but at least we have basic redundancy. The MX only accepts An圜onnect-connections on the primary WAN-interface. If the ASA is has multiple ISPs-interfaces, the ASA can be configured to accept connections on all interfaces. Meraki-All-Star PhilipDAth created an online-version to generate a basic profile: /cookbooks/online-anyconnect-profile-editor.html Redundancy There is no Profile-Editor embedded, the profiles have to be created in the standalone Profile-Editor or in a text editor. The Meraki-Cloud added a second “.xml” so the profile name resulted in but that does not harm anything. After replacing the dots with dashes and only keeping the dot of the extension, it worked. My first test did not work because the filename was like an FQDN (). An圜onnect ProfilesĪs of now, only VPN-profiles can be pushed to the client. Same as with the An圜onnect pool, also the Split-Tunnel-config is global and can not be configured per user-group. If you configure the Filter-Id as “RA-USER”, and the RADIUS-server automatically appends an “.in” to the attribute, the group-policy has to be named “RA-USER.in” in the Meraki dashboard. In contrast to the legacy client VPN where all remote access users had to share the same “permit any” authorisation, with An圜onnect the RADIUS server can apply a group-policy to the session with the help of the RADIUS attribute “Filter-Id””.īe carefull with the group-policy-names. It is also not possible to use a DHCP-server for address assignment. On the ASA you can configure different IP subnets for different user groups, this is not possible with the MX and all users share the same VPN-subnet. The Authentication Protocol is “PAP_ASCII”, so there is no password-management for An圜onnect-users on the MX. After increasing the RADIUS timeout (default 3 seconds) MFA with the DUO authentication proxy directly worked like a charm. There is no dedicated MFA-Config, but with RADIUS we can access any MFA server of our choice. But you can also use double authentication (certificate and AAA) which I didn’t test yet. Having a default config (that can not be tuned) that gives a “B” is a little bit awkward nowadays. SSLLabs only rates the VPN-Server with a “B” which is not state of the art any more. But there are a lot of non-FS algorithms enabled. The MX also only uses TLS/DTLS 1.2 which is great. On all my ASA implementations, I only enable TLS 1.2 with next-generation encryption and disable everything that has no Forward Secrecy (FS). It’s also not possible to import your own certificate. I expected that they implement an automatic Let’s Encrypt enrolment, but at least at the moment that is not possible. The documentation says that it should auto-renew before it expires. It comes from the QuoVadis Root CA which should be trusted on all relevant systems and is valid for three months. The certificate is automatically deployed for the DDNS hostname of the MX. What is different to an An圜onnect implementation on the ASA Certificate Enrollment Thats all that has to be done and it is working.
![cisco meraki vpn client protocol cisco meraki vpn client protocol](https://content.spiceworksstatic.com/service.community/p/how_to_step_attachments/0000125111/5ad10f3d/attached_file/4a19d9a7b931012c6efc3fa6e0de0171ad263b86e9eff33ed818630ab857425c_VPN_006.png)
Configure the An圜onnect VPN subnet, Nameservers and DNS Suffix.Configure the Authentication (RADIUS, Meraki Cloud or AD).Upload a client profile (optional, but I would always do so).Change or accept the An圜onnect-port (default 443) and login-banner (default “You have successfully connected to client vpn.”).The configuration is Meraki-easy as expected. With this device the An圜onnect VPN was working.
![cisco meraki vpn client protocol cisco meraki vpn client protocol](https://wirednot.files.wordpress.com/2015/09/client-vpn.png)
The next try was my MX68 (which I got from Meraki for my recognition as a Meraki All-Star, thanks again for that!). Either it kept a self-signed-certificate or did not enable the An圜onnect server at all. My first try was with a Meraki Z3 which should be supported, but that device did not want to enroll a public certificate. It was first announced at Cisco Live 2015 (at least that is where I first heard of it) and after no more than six years the first public beta (v16.4) is available. The support for An圜onnect VPNs is probably one of the most wanted features for Meraki customers.