Skip to main content

AnyConnect on Meraki!

 At long last, it is finally here. Meraki security appliances support AnyConnect in the open Beta release 16.4.

For those who are blissfully unaware, Meraki’s Client VPN was lacking. You had to use the Operating System’s built-in VPN client. I can’t speak for Linux or Mac, but for Windows clients this was an operation in patience. Win10 VPN often loses settings across Windows Updates and will sometimes just not work. It’s not super user friendly to set up. It sucks.

AnyConnect is used with Cisco’s ASA firewalls. A client establishes an SSL VPN tunnel between the PC and the firewall. It’s super easy to use and is fairly common for Enterprise users. From the administrative side, you can configure different policies for groups, realms, etc. I have had two AnyConnect gateways in my environment for a few years now. There’s a realm for Corp-owned devices, a realm for BYOD devices, and a realm for Vendors. We’re able to dictate access to these realms based on AD groups and leverage a 3rd party MFA solution for hardened access. We have approximately total 125 users and – at our COVID peak – supported 80 users simultaneously. Our ASAs are approaching end of life so we have been shopping alternative edge firewall solutions. Meraki has been one of the competitors and having a decent remote access/client VPN solution is a must.

I was excited to get AnyConnect up and running on my homelab MX67. Once updated to the newest Beta firmware release, you get a handy option in your Dashboard under Security & SD-WAN, Client VPN. Turning it up is very easy:

  1. Radio button from Disabled to Enabled
  2. Choose how clients with Authenticate
  3. Define a subnet for your AnyConnect VPN subnet

And that’s all that’s required. You’ll have to decide whether to use Google, Umbrella, or a custom DNS server; what traffic you’ll be tunneling; and how users will authenticate. Optionally, you can change the port AnyConnect uses, set a Log-in Banner, define a group policy, upload a CA for client certificate authentication. The page also provides the hostname used to connect to as well as links to download the AnyConnect client for Windows, Mac, or Linux. You must be on AnyConnect 4.9 or higher to connect to the MX.

            For my home deployment, DNS is pointed to my Pihole, we’re tunneling all traffic, and we’ll use Meraki Cloud Authentication for access. Additionally, we’ll designate my Dashboard Admin user as a VPN user. You can also set up a Meraki Cloud Guest users and define a password for just VPN access. All said and done, the completed config page looks something like this.

            Once done, you’ll want to get AnyConnect installed. For this example, I have it set up on my Windows laptop. 

             And now we’re connected! Simple! I also took the time to configure this on my iPhone AnyConnect app. The process is similarly straight forward.

            You'll notice a pretty short hostname in the two screenshots above. One quality of life fix I recommend is creating a CNAME entry with your DNS provider to simplify access. If you’re looking for a provider, I’ve used No IP in the past. Their free offering is fine, with a catch of requiring you to verify your DNS entries every 30 days. Their pay tiers are cheap, but I’m cheaper. 

            The big drawback to this is there’s no way to upload a custom SSL certificate. You’ll get a warning during the log in process, not showstopping but certainly undesirable, especially in any professional or enterprise environment. Hopefully this is addressed down the road.

            A major drawback is MX AnyConnect (MXConnect? AnyMX? these are free suggestions, Cisco) is an On-or-Off solution at this point. With no way to set up different subnets, lumping everyone in together limits your ability to get granular like you would on another NGFW (see my earlier comments on the ASA).

            I’m interested to see how Cisco continues to develop AnyConnect on Meraki. In its current form, it is no replacement for many of the existing Enterprise Client VPN solutions on the market. Right now, it’s a good fit for small/medium-sized businesses with basic remote access needs. It likely won’t push me to go full-stack Meraki but it’s certainly gives points in their favor.

Comments

  1. opheliepagacMarch 4, 2022 at 5:05 AM

    Hotels near Harrah's Casino, Chester, PA
    The Harrah's Cherokee Casino 삼척 출장마사지 Hotel & Spa is the perfect spot for those 청주 출장마사지 who like to visit the fun 대전광역 출장샵 and excitement of 서울특별 출장마사지 Las Vegas and enjoy 전라남도 출장마사지 the local

    ReplyDelete
  2. AnonymousDecember 7, 2022 at 3:06 AM

    Sharing is caring, and when you share with your mates, might get} free bonus coins to get pleasure from even more of your favourite slot video games. If you like a bit extra of a problem, you can also also|you can even} play slot machines with added features similar to missions and side-games. It's nice way|a good way|an effective way} to loosen up at the finish of the day, and is a treat in your senses too, with gorgeous graphics and immersive video games. Old-school slot machines, that includes similar old} assortment of aces, fortunate horseshoes and wild symbols. Here you need to|you should|you have to} line up three matching symbols on a single payline. Seminole Hard Rock Hotel & Casino Hollywood provides over three,000 of the preferred Slots that embrace the Seminole Gaming linked Multi-Area 1xbet Progressive Jackpots and Mega Jackpots.

    ReplyDelete

Post a Comment