Avatar of Relay700
Relay700
Flag for United States of America asked on

Need help setting up Duo Security for 2FA with Meraki MX84 VPN

We are currently using a Meraki MX84 for VPN.  It connects to our Active Directory to authenticate users.
I am setting up a Duo Authentication Proxy to tie into my Meraki MX84 so I can have Multi-Factor Authentication on my VPN.  The Duo Auth Proxy is asking for a Radius Secret from the Meraki.  I am not sure where to setup the connection on the Meraki side.  Am I setting up sign in with my Radius Server under Access control?
CiscoActive DirectoryNetworkingVPNSecurity

Avatar of undefined
Last Comment
Relay700

8/22/2022 - Mon
Jody Lemoine

The RADIUS servers and secrets are set up under the Client VPN section of the portal. Screenshot is attached. If you've been authenticating directly against Active Directory, your authentication may not be set up for RADIUS and so the secret field will be hidden.
Screen-Shot-2018-12-11-at-2.54.59-PM.png
Relay700

ASKER
Thanks Jody.
So when I add the Radius Server Host, Port and Secret there will my VPN clients stop working instantly or will they still be able to connect while I troubleshoot the integration with Duo?
Jody Lemoine

They won't stop working instantly, but new connections won't be able to establish while you're troubleshooting. If possible, I would set an after-hours window for testing, just so you don't have angry users.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Relay700

ASKER
Thanks Jody.  I will setup a maintenance window and give it a shot.  Have you done this with the Duo 2 factor?  If so, anything I should watch out for?
ASKER CERTIFIED SOLUTION
Jody Lemoine

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Relay700

ASKER
I am a bit confused Jody.  I thought the Duo Authentication Proxy acted as the Radius Server and talked to Active Directory.  Wouldn't this negate the need for Microsoft NPS?
Jody Lemoine

I believe that may be an option, but I've never used it. I've always gone through NPS because it allows for remote access policies. If you authenticate directly off of AD, the only real control you have is the dial-in permission field in the user properties.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Relay700

ASKER
Are you still out there Jody?
Relay700

ASKER
Thanks Jody for getting me up and running!!