For additional information, refer to the AnyConnect configuration guide.

• Always On Vpn With Meraki
• Cisco Anyconnect Always On
• Meraki Always On Vpn Login

Client Download

Always On Vpn With Meraki

We've been using Meraki Client VPN for sometime, but it's not integrated with our A.D. I'd like to use Meraki for the VPN and Microsoft for the Radius services. I want to ensure there is as much redundancy as possible in our VPN solution by setting up 2 Radius servers in our environment. Cisco Meraki uses the integrated Windows client for VPN connection (no Cisco client at this time). To be able to connect with simple AD user account credentials, along with a simple pre-shared key, the steps are very simple.

• Meraki MDM also fails to load VPN parameters as it requires a Windows profile (appart from the Meraki Agent). Apparently, you cannot have two MDM profiles on Windows 10. There's also the issue of authentication. Meraki does not support Azure Active Directory.
• My company is looking at deploying Windows Always on VPN. We have 2 MX100's and use the standard Meraki VPN client. It works, but as it relies on users to connect, we have PC's not compliant. AoVPN seems to be the way to go, but I've read that Meraki can't support this as you need IKEv2 support (I hear version 15.12 + does support this).
• Meraki always on VPN - Begin being unidentified from now on Meraki always on VPN transparency is principal, but. DNS is letter a better pick due to its lightweight nature. It does not consume coding solfa syllable you fanny enjoy the stuffed speed of your standard cyberspace connection.

Unlike the ASA, the MX does not support web deploy or web launch, a feature that allows end users to access a web page on the AnyConnect server to download the AnyConnect client. With the MX, there are download links to the client software on the AnyConnect settings page on the dashboard, however, the download links are only available to the Meraki dashboard admin and not the end user. We do not recommend sharing the down link with users as the link expires after every five minutes of loading the AnyConnect settings page.

We recommend downloading the AnyConnect client directly from Cisco.com as there may be an updated version in the Cisco repository. Refer to the doc for the AnyConnect clientrelease notes. We also recommend using either Meraki Systems Manager, an equivalent MDM solution, or Active Directory to seamlessly push the AnyConnect software client to the end user's device.

AnyConnect requires a VPN client to be installed on a client device. The AnyConnect client for Windows, MacOS, and Linux are available on the Client Connection section of the AnyConnect configuration page on the dashboard and can be downloaded by a Meraki dashboard administrator. Please note, the download links on the Meraki dashboard expire after five minutes. The AnyConnect client for mobile devices can be downloaded via the respective mobile stores. You can also download other versions (must be version 4.8 or higher) of the AnyConnect client from Cisco.com if you have an existing AnyConnect license. AnyConnect web deploy is not supported on the MX at this time.

• Installing the AnyConnect client

• You only need the VPN box checked. Once the client has been installed on the device, open the AnyConnect application and specify the hostname or IP address of the MX (AnyConnect server) you need to connect to.

AnyConnect Profiles

An AnyConnect profile is a crucial piece for ensuring easy configuration of the AnyConnect client software, once installed. The MX does not support the use of custom hostnames for certificates (e.g. vpn.xyz.com). The MX only supports use of the Meraki DDNS hostname for auto-enrollment and use on the MX. With the Meraki DDNS hostname (e.g. mx450-xyuhsygsvge.dynamic-m.com) not as simply as a custom hostname, the need for AnyConnect profiles cannot be overemphasized. Profiles can be used to create hostname aliases, thereby masking the Meraki DDNS with a friendly name for the end user.

Cisco AnyConnect client features are enabled in AnyConnect profiles. These profiles can contain configuration settings like server list, backup server list, authentication time out, etc., for client VPN functionality, in addition to other optional client modules like Network Access Manager, ISE posture, customer experience feedback, and web security. It is important to note that at this time, the Meraki MX does not support other optional client modules that require AnyConnect head-end support. For more details, see AnyConnect profiles.

When a profile is created, it needs to get pushed to the end user's device. There are three ways to do this.

1. Through the AnyConnect server (MX): If profiles are configured on the dashboard, the MX will push the configured profile to the user's device after successful authentication.
2. Through an MDM solution: Systems Manager, an equivalent MDM solution, or Active Directory can be used push files to specific destinations on the end user's device. Profiles can also be pushed to the following paths:

Windows
%ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile

Mac OS X
/opt/cisco/anyconnect/profile

Linux
/opt/cisco/anyconnect/profile

3. Manually: Profiles can also be preloaded manually to the same paths as listed above.

How to Create a Profile

Profiles can be created using the AnyConnect profile editor. The profile editor can be downloaded from the AnyConnect Settings page on dashboard or on cisco.com. Refer to this link for more details on AnyConnect profiles.

Using the profile editor: The profile editor can be downloaded from the AnyConnect Settings page on dashboard or on Cisco.com. The profile editor only runs on Windows operating systems. The screenshot below shows a configured server ton the Server List Entry option.

When configuration is complete, save the profile. It is recommended to use a unique file name to avoid profile overrides by other AnyConnect servers, then you can upload the file to the profile update section on the AnyConnect settings page.

Please note that only VPN profiles are supported on the MX at this time. This means you cannot push NVM, NAM, or Umbrella profiles via the MX.

• Select enable profiles, upload your xml file, and save your configuration
• After a user successfully authenticates, the configured profile gets pushed to the user's device automatically
• The result of the .xml can be seen below, after successful authentication to the AnyConnect server; this gives users the ease of selecting VPN servers on the AnyConnect client
  The Meraki DDNS hostname is not easy to remember, therefore end users are not expected to use it directly. Profiles should be used to make connecting to the AnyConnect server easy for end users.

With all the increased focus on working from home and remote access lately, I figured now would be a good time to share my notes on configuring Always On VPN. This first post will cover the basics of the Always On VPN technology. This guide will be split into multiple parts. Links to each individual post in this series can be found below.

Always On VPN – Certificates and Active Directory
Always On VPN – VPN and NPS Server Configuration
Always On VPN – User Tunnel
Always On VPN – Device Tunnel
Always On VPN – Troubleshooting

I want to preface this series by saying that I am not an expert on this topic. These are my notes based on my experiences working with Always On VPN. I highly recommend reading through the official Microsoft Documentation. Additionally, throughout this series I reference a number of posts by Richard Hicks. If you’re going to be deploying any sort of remote access solution, I recommend bookmarking his website.

How Does Always On VPN Work?

Cisco Anyconnect Always On

Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.

The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.

The Windows 10 VPN client can be configured to connect a user authenticated tunnel or a device authenticated tunnel. Both types of tunnels can be connected simultaneously if required.

User Tunnel

The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.

Here is a high-level overview of the connection process for a Always On VPN user tunnel.

1. The VPN client sends a connection request to the external IP address of the VPN server
2. The edge firewall passes the connection request to the external interface of the VPN server
3. The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
4. The RADIUS server receives and authenticates the connection request
5. The RADIUS server returns an accept or deny response to the VPN server
6. The VPN server allows or denies the connection request based on the response from the RADIUS server

Device Tunnel

The Device Tunnel is established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.

Here is a high-level overview of the connection process for a Always On VPN device tunnel.

1. The VPN client sends a connection request to the external IP address of the VPN server
2. The edge firewall passes the connection request to the external interface of the VPN server
3. The VPN server validates the computer authentication certificate of the client and allows or denies the connection request

Notice that the device tunnel does not use RADIUS for authentication. The VPN server preforms the authentication. This prevents device tunnels from taking advantage of more advanced Always On VPN features like conditional access and multi-factor authentication. For more guidance on when to utilize device tunnels refer to this post.

VPN Protocols

Always On VPN utilizes familiar VPN infrastructure, which means that it can also utilize familiar VPN protocols. There are two main protocols that make the most sense to use when working with Always On VPN.

IKEv2

Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.

Note that when using a Always On VPN device tunnel, IKEv2 is the only supported protocol.

SSTP

Secure Socket Tunneling Protocol (SSTP) also has good security, and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.

About this Guide

The goal of this series is to cover the deployment of a basic Always On VPN environment. This guide will assume the reader has existing knowledge of Active Directory Domain Services, Active Directory Certificate Services, DNS, and basic enterprise networking concepts.

This example deployment of Always On VPN will include:

1 VPN server running Windows Server 2019 with the Routing and Remote Access role. This server will be located in a perimeter network and will have 2 network adapters.
1 NPS server running Windows Server 2019 with the Network Policy Server role. This server will be located on in the internal network.
1 VPN client running Windows 10 Enterprise 1909. Both user and device tunnels will be configured.

This deployment will be configured to use IKEv2 for the User Tunnel and Device tunnel.
This guide also assumes Active Directory Domain Services, Active Directory Certificate Services, and Group Policy are installed and functional.

Meraki Always On Vpn Login

Additional Reading

This guide is for a basic deployment of Always On VPN. There are more advanced features that can be configured but will not be covered here.

Also, remember to check out the full Microsoft Documentation.