Need help setting up Duo Security for 2FA with Meraki MX84 VPN

We are currently using a Meraki MX84 for VPN.  It connects to our Active Directory to authenticate users.
I am setting up a Duo Authentication Proxy to tie into my Meraki MX84 so I can have Multi-Factor Authentication on my VPN.  The Duo Auth Proxy is asking for a Radius Secret from the Meraki.  I am not sure where to setup the connection on the Meraki side.  Am I setting up sign in with my Radius Server under Access control?
Relay700IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
The RADIUS servers and secrets are set up under the Client VPN section of the portal. Screenshot is attached. If you've been authenticating directly against Active Directory, your authentication may not be set up for RADIUS and so the secret field will be hidden.
Relay700IT ManagerAuthor Commented:
Thanks Jody.
So when I add the Radius Server Host, Port and Secret there will my VPN clients stop working instantly or will they still be able to connect while I troubleshoot the integration with Duo?
Jody LemoineNetwork ArchitectCommented:
They won't stop working instantly, but new connections won't be able to establish while you're troubleshooting. If possible, I would set an after-hours window for testing, just so you don't have angry users.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Relay700IT ManagerAuthor Commented:
Thanks Jody.  I will setup a maintenance window and give it a shot.  Have you done this with the Duo 2 factor?  If so, anything I should watch out for?
Jody LemoineNetwork ArchitectCommented:
I've got it running in a few places. It's fairly simple. I just set up the remote access policy in Microsoft NPS on the DC, register the LAN IPv4 address of the DC as a client with a shared secret, then install the Duo Authentication Proxy on the same DC, using port 1814/udp and point it to the LAN IPv4 address of the DC on port 1812/udp with the same shared secret. That keeps everything self-contained. Once that's set up, point the MX at the LAN IPv4 address of the DC on 1814/udp and you're good.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Relay700IT ManagerAuthor Commented:
I am a bit confused Jody.  I thought the Duo Authentication Proxy acted as the Radius Server and talked to Active Directory.  Wouldn't this negate the need for Microsoft NPS?
Jody LemoineNetwork ArchitectCommented:
I believe that may be an option, but I've never used it. I've always gone through NPS because it allows for remote access policies. If you authenticate directly off of AD, the only real control you have is the dial-in permission field in the user properties.
Relay700IT ManagerAuthor Commented:
Are you still out there Jody?
Relay700IT ManagerAuthor Commented:
Thanks Jody for getting me up and running!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.