Meraki with DUO for Client VPN Caveat

Hi,

I thought I would post this here, and I will cross post on Meraki as well in hopes it will save someone some grief.
Background - Client using Meraki Client VPN with DUO, works fine. Client wants to add a new VLAN/Subnet than all of a sudden DUO stops authentication with the new Subnet “IN VPN”. If you don’t add the new VLAN/Subnet into the VPN it works fine.

Called Meraki support and asked if the IP address (source to Auth Proxy) would change by adding a new VLAN; the answer was no the IP should stay the same.

Took a sniffer trace with and without the new VLAN and found the IP address of the Meraki did change, so we had to add it to the allowed sources in the Auth Proxy config. Then it worked.

Verified with Meraki the (for some unknown reason) that it takes the highest VLAN numbers’ IP address as the the SVI for the Meraki Client causing the source IP address of the Auth request to come from the higher IP address.

I hope this makes sense, if not let me know.

1 Like