Meraki Firewall - Windows VPN Client - Windows/Mac/IPad VPN Swap Issue

We are seeing a strange issue with some users who have multiple devices and I am hoping the community can help while we wait on Meraki support to get back to us.

1. We’ve updated all of the devices. Workstation OS, Mobile Phone OS and Microsoft Authenticator App. Win 10/11 and Mac, iPads and mobile(apple and android) tested with same results. All updated fully.
2. We are testing on wired ethernet connection with good speeds.
3. We have tested at different physical locations.
4. We have test on wired, wireless and cellular.

This is happening to multiple users.

User will connect to the VPN on their Windows PC using the Windows VPN client. They will get the MFA prompt on the Microsoft Auth App and connect fine every time first thing in the morning. If they then disconnect from the VPN and move to their MAC it will not prompt the Microsoft Auth App. We have not been able to reproduce exactly why it will start working on the MAC but afer some time it will prompt on the MAC and let us connect. I think its purely time based as we can’t do anything on the devices or internally on the server or Meraki to reproduce making it work on the second device.

This work the same way if the Mac is used. It connects first time no problem if the VPN hasn’t been in use. If we disconnect and move to the Windows PC it won’t prompt on the Microsoft Auth App.

​

This also happens when a Mac and iPad are the two devices.

The Mac uses the built in vpn client.

Switching from wired to wireless or even cellular doesn’t make it prompt. Rebooting modems at the users location or the server at the office doesn’t make it work. We have great speeds at the office and at the users location and we have tried more locations.

We’ve had a good number of people look at this internally so far and we are not sure whats going on. We have dozens of other Meraki devices in different environments with different users and none of them are exhibiting this behavior.

We’ve spent considerable time troubleshooting and researching this issue. We’ve opened a support case with Meraki but I was hoping someone has seen this before and has the fix.

-----

We are thinking about testing Cisco AnyConnect VPN Client but are also debating just rolling out something like Perimeter 81 but I’d really like to know what is causing this.

-----

Also we are using NPS via our on-prem DC with Azure MFA. Radius

Have you looked in the AAD logs for the user when they don’t get prompted for MFA? You should see it deciding to skip Conditional Access Policy that requires MFA and a reason why.

If this isn’t covered in AAD logs then I’d ditch the whole thing. I need to transparency with my authentication solutions which you’re clearly not getting. Azure AD has great logging most of the time but other parts of Microsoft are very black-boxy and it is infuriating to work with. Duo is another one that has excellent transparency in the logs.

it sounds like the device has an existing token that AAD is taking as valid.

Switch over to anyconnect instead. It’s a lot easier to use than the l2tp client.

It appears using the NPS extension doesn’t use CAPs. We’ve reviewed the logs and we don’t see anything. We’ve also used the exclude from “require MFA” yet it still prompts them.

Yeah I’d toss that solution then if I can’t get decent logs out of it

We had this issue as well. A call to Meraki and they told us a firmware bug and rolled back to an earlier version fixed it.