Feature Request: Apply group policies to Client VPN

jeremiahmiller · ‎05-04-2018

We love the Group Policy feature that allows us to apply traffic shaping, firewall rules, and bandwidth restrictions to certain VLAN's, clients, or users. Unfortunately it is not possible to apply group policies to client vpn! This seems like a huge oversight and we would love for this option to be made available.

MRCUR · ‎05-04-2018

You can set the group policy of client VPN connections. Select the connection under network wide - clients and then you can set the policy directly on the connection.

This isn't automated, but it is possible today.

MRCUR | CMNO #12

Philip D'Ath · ‎05-04-2018

This isn't a great fix @MRCUR. For a start, you can't apply the policy until the user has connected (so you can see them).

Next if they connect rarely (say annually to provide support) and they age out, you have to re-apply that policy, but only after they have connected.

The policy needs to be applied at the user level, before they connect.

I tried applying a policy using RADIUS and the Filter-ID attribute (that other bits of Meraki kit use) but alas it ignored it. We really need Filter-Id RADIUS support as well.

MRCUR · ‎05-04-2018

@Philip D'Ath I'm not saying it's a great fix. But it is an option today which is better than no option at all.

MRCUR | CMNO #12

Ahos · ‎08-20-2020

Hi,

is there still no solution to this?
we use meraki authentication for VPN access and there still seems no pre-applied policy available.

in the client list however the already connected clients are visible.

Like you suggested I applied a policy to that user once logged in. but the grouppolicy is not overriding the layer 3 policies on the client vpn page.

Did this ever work on your network?
cheers

anthony1224 · ‎08-07-2018

Where are we on this? I wanted to move from the ASA to this device, I can't because I can't restrict them. I can't believe this isn't a feature at this point.

giacomos · ‎08-12-2018

Hey guys,

Have you tried creating the clients via mac address and applying the policy prior to the client creation?

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Pre-configure_Network_Policy_for_Client_Devices

Thanks!

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

Philip D'Ath · ‎08-12-2018

How do you find the MAC address for a VPN client?

giacomos · ‎08-12-2018

Hey @Philip D'Ath ,

I would expect to have to request it from the client itself (e.g.: ipconfig) . The only thing I haven't tried is if the MX is going to recognise it, as it normally reports the VPN clients from an IP perspective rather than a mac (which I assume is what you were getting at).

It would be interesting to try it out.

Cheers!

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

fsharob3 · ‎08-12-2018

Hi @jeremiahmiller

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request. I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements.

anthony1224 · ‎08-14-2018

done!

Warren-G · ‎10-01-2018

We desperately need this feature too. We have a situation where a client has asked us to block access to company email (Office 365) for all employees after hours. They use a range of devices both internally and externally to access their email. Neither Microsoft nor any other third party vendors (I've asked Okta, Duo, Jumpcloud, Onelogin etc) offer any kind of schedule-based access. The best shot I have (had??) at a solution is to require all Office 365 traffic to originate from the corporate IP address. In order to accomplish this we would require all devices to VPN into the corporate network first in order to access email. From there we could implement a Group Policy with a schedule and URL blocking and apply it to all clients, except that Meraki DOESN'T SUPPORT GROUP POLICY FOR CLIENT VPN!!!! C'mon guys, you have a shot here at being frikkin heroes. Yes, I've submitted a request via the Make A Wish button too.

Philip D'Ath · ‎10-01-2018

You could try using the Office 365 API (known as the Graph API). It looks like you could use the "Update User" method, and either set accountEnabled to true (at beginning of the day) or false (at the end of the day).

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_update

The schedule a script in the morning to enable accounts and in the evening to disable accounts.

If you are using the DirSync connector you could also just set the attribute in Active Directory morning and night and let it replicate.

loftmyndCH · ‎09-06-2019

Where are we with this Ticket @meraki_ -- any solutions? i have pushed a wish in the dashboard... we need to give different vpn users different access - if we can apply group policies to client vpn users, our problem is solved - but now everyone sees everything. thats very unsafe!!

neonbronze · ‎06-03-2021

Any updates on this? It's been almost three years since it was submitted as a feature request...

We're currently implementing the workaround described above, where you wait for the client to connect and then assign the group policy to the client device, but this is a really hacky solution that ends up being way more labour intensive than being able to simply add the VPN user accounts to the group policy.