Any opinions on this? I’ve typically used programs like AnyConnect in the past, but sure do like the simplicity of using the built-in.
How does it work if they use a laptop inside and outside of office?
I prefer AnyConnect. I configured ours to authenticate against Office365 with MFA.
AnyConnect all the way, will never go back to using regular client VPN. AnyConnect is so much more reliable and feature rich. It provides much better logs and troubleshooting detail. It also easily allows full control over the IP routing table on the client device. For us, this has allowed users to connect to VPN even if their home subnet overlaps with corporate subnet (a whole other topic altogether).
The licenses are cheap, I don’t remember the exact amount but under $20 a year per user.
What do you mean by inside vs outside office? Inside the office they don’t user VPN, outside they do.
Anything, Anything but the windows client. I’ve found it breaks frequently with feature updates, and if you want split tunnel you are scripting it. It’s gross, has no features, it’s cost me lots of hours of pain over the years and I hope it burns in hell.
I like AnyConnect, not the best client out there - but it has some nice features like FQDN based split tunnel which is pretty novel even among the better commercial offerings.
We’ve had issues with the Windows VPN reverting security settings in the network adapter which breaks the login, or clearing the saved credentials to log into the VPN (or in some cases both). Because of this, we have switched to AnyConnect with no issues.
I do not recommend the built in Windows VPN.
Just a few notes:
-
AnyConnect with the MX requires the APEX version of AnyConnect licenses from Cisco and they are sold only in 25-packs increments and 1 or 3 year terms.
-
Built-in client VPN has an awesome script to push it out here: https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
-
2FA integration with O365 and SAML for SSO is easy if you don’t already have another ID provider and the shop is Microsoft.
We looked at anyconnect briefly to resolve issues with ISP shenanigans, but stopped when we discovered it was a separately licensed product.
We have an office of about 30 people that use windows VPN, no issues made the switch from any connect about three years ago when they upgraded the firewall
anyconnect has other builtin functionalities like integration with umbrella. its not purely just VPN.
We are using windows vpn for a couple of years now, for around 1000 people.
It’s indeed a dwark of a config. But it works.
It’s the only way to use a real alwayson. We have split it up in a device vpn and user vpn. The device vpn is connected before the user logs in. It’s based on ike and certificates and it’s only pointing to the DC’s. The user vpn is based in ssl, and certificates and login name .
It doesn’t brake with windows updates. It’s quite stable. However segmentation is a nightmare.
Did you use SAML or oAuth?
Can you give more details about this setup? This is exactly what we are trying to do with conditional access.
If Windows were setup to connect to the Client VPN at login, what happens when they use that device in the office?
We had to disable the subnet 192.168.1.X from our VPN because users home printers couldn’t operate. Is there an easy fix for this, or should I just change the branch subnet to something different? It only affects printing, we don’t get any IP conflicts
Another thing that is great about using VPN licensing for Anyconnect, is that if you pair it with SIG Umbrella, you can connect users at the Secure Internet Gateway instead of your edge devices.
Hmmm. Any kind of radius auth, no matter the transport, can be backed with token based MFA. Microsoft NPS can use M365 MFA for any radius auth. This can be used with any devices that supports radius for login and gives you full MFA, even on devices that don’t support it.
I have been using this with PFsense Community (Free) along with geo-blocking via PFblocker (Free) for more than four years. It has been rock solid and I use the built-on IPsec client on all devices (Windows, Mac, Android, iOS). It has been rock solid and always works well. This bypasses all of the guess of the accout/password attacks of late. With the MFA backing via Radius, even if they guess a username/password, then still won’t authenticate due to the MFA backend.
If you are not from an IT background then paying for an SSL/TLS VPN solution with a client makes things “easier”, but I have never found it more “reliable.”
Run Cisco ASA’s at work, but DO NOT use anyconnect in my campus. Use the built-in window client with the above solution. This has works rock solid for 6+ years with only tweaks to the phase 1/phase 2 info as better crypto was supported. We push the VPN connection via group policy so the end user just clicks connect and responds to the MFA prompt. No Anyconnect licensing needed.
2FA integration with O365 for the built-in client? Do you have a link?
Did you realize the licensing is on the honor system? And also a 1x buy at something like $10 a user?
Anyconnect is just an agent used for different Cisco products. If you just want the VPN bits, it’s not really that bad.
Why is segmentation a nightmare?