Meraki VPN + Duo Multi-Factor Authentication: Securing Remote Access

Remote access has become essential infrastructure rather than optional convenience. Employees work from home, contractors access from offices across the country, and mobile workers need network connectivity from anywhere. This distributed workforce creates security challenges—traditional office-based networks could monitor physical access and device connections. Remote access networks must provide security without knowing where connections originate or what devices are connecting.

Password-based authentication, once sufficient for internal networks, becomes dangerously inadequate for remote access. Passwords are stolen through phishing, reused across sites, and cracked through brute force attacks. Adding Duo multi-factor authentication (MFA) to Meraki VPN access dramatically improves security by requiring something you know (password) and something you have (phone for Duo approval).

The Remote Access Security Challenge

Why Remote Access Needs Extra Protection

Office-based employees connect from secured networks with monitored devices. Remote access eliminates these assumptions:

• Unknown networks – Home WiFi, coffee shop internet, hotel networks potentially compromised
• Unmanaged devices – Personal computers or shared devices outside organizational control
• Insecure connections – Public networks without encryption
• Implicit trust removed – Can’t verify the person connecting is actually who they claim

These factors make remote access inherently riskier than office access.

Password Limitations

Passwords alone cannot adequately secure remote access:

• Phishing attacks – Fake emails/sites trick users into revealing passwords
• Credential stuffing – Attackers use passwords leaked from other sites
• Brute force attacks – Automated tools guess weak passwords
• Keylogger malware – Malware steals passwords from users’ devices
• Insecure reuse – Users reuse passwords across many sites

Attackers only need to guess or steal one password to gain access. This unacceptable risk necessitates additional authentication factors.

Understanding Multi-Factor Authentication

Authentication Factors

Secure authentication requires proving your identity through multiple factors:

Something You Know

• Password
• PIN
• Security question answer
• Requires memory but easy to lose

Something You Have

• Phone receiving codes
• Hardware token
• Smart card
• Physical possession required

Something You Are

• Fingerprint
• Facial recognition
• Iris scan
• Biometric uniqueness

Multi-factor authentication requires proving identity through multiple factors, making successful attacks exponentially harder.

MFA Benefits

Implementing MFA dramatically improves security:

• Phishing resistant – Even if password is stolen, attacker can’t authenticate without second factor
• Credential stuffing resistant – Reused passwords alone insufficient
• Brute force resistant – Automated attacks fail without access to second factor
• Compliance supportive – Many regulations require MFA for remote access

The security improvement justifies minor inconvenience of the additional authentication step.

Cisco Duo Multi-Factor Authentication

Why Duo?

Cisco Duo represents the leading MFA platform because:

• User-friendly – Simple app-based authentication
• High security – Advanced fraud detection
• Flexible – Multiple authentication methods
• Reliable – Nearly universal mobile phone adoption
• Integration – Works seamlessly with Meraki

Many organizations choose Duo specifically for its simplicity—users approve or deny login attempts on their phone rather than copying codes from text messages.

Duo Authentication Methods

Users can authenticate through:

Push Notification (Most common)

1. User clicks login button
2. Duo app shows approval prompt on phone
3. User taps “Approve” to confirm
4. Access granted

SMS Code

1. User receives SMS with 6-digit code
2. User enters code in login screen
3. Access granted if correct

Phone Call

1. User receives automated call
2. Presses 1 to confirm
3. Access granted

Security Key

1. User connects physical security key
2. Key confirms user presence
3. Access granted

Users typically prefer push notifications—fastest and most intuitive method.

Implementing Meraki VPN with Duo

Setting Up Meraki Client VPN

First, enable VPN access in Meraki:

1. Go to Security > Client VPN in dashboard
2. Enable Client VPN
3. Select protocol (IKEv2 recommended for modern clients)
4. Configure:
   • Tunnel subnet for remote users (e.g., 192.168.100.0/24)
   • Split tunneling (route corporate traffic through VPN, other traffic direct)
   • Idle timeout (disconnect inactive connections)
5. Select Authentication method: Choose RADIUS for external authentication

This setup allows external authentication through RADIUS, which Duo connects to.

Configuring RADIUS for Duo

RADIUS is the authentication protocol connecting Meraki to Duo:

1. In Meraki dashboard, go to Security > Client VPN
2. Under authentication, enter RADIUS settings:
   • Primary RADIUS server: Your Duo RADIUS Proxy (specific IP address)
   • Shared secret: Pre-shared key between Meraki and Duo
   • Port: Typically 1812
3. Test the connection to ensure communication works

Setting Up Duo Administration

Configure Duo to handle authentication:

1. Create Duo account (if not already existing)
2. In Duo Admin Panel, add VPN application:
   • Application type: Meraki MX
   • Application name: “Meraki VPN”
   • Click Protect This Application
3. Duo generates configuration for RADIUS Proxy
4. Deploy RADIUS Proxy (can be virtual machine in your network or Duo-hosted)
5. Configure policy:
   • Which users can access VPN
   • Which authentication methods to require
   • Whether certain device types require additional verification

Deploying VPN Profiles to Users

Once VPN and authentication are configured:

1. Generate VPN profile in Meraki dashboard
2. Distribute profile to users through:
   • Email with instructions
   • File server download
   • Mobile device management (MDM)
   • QR code scan
3. Users install profile on devices
4. Install Cisco Secure Client (or equivalent VPN client)
5. Users can connect, completing Duo authentication to verify identity

User Experience with Meraki + Duo

Typical Connection Flow

From user perspective:

1. User opens VPN client
2. Enters username and password
3. Clicks “Connect”
4. Receives Duo push notification on phone
5. Reviews notification showing “Login request at 2:45 PM from 192.168.1.100”
6. Taps “Approve”
7. VPN connects successfully
8. Can now access corporate resources

This simple process takes about 30 seconds and provides strong security.

What Happens if Something is Wrong

If authentication fails:

• User receives Duo notification but denies it (wrong person trying to access account)
• User is at location far from home (IP geolocation suspicious)
• User’s device unknown to Duo (unusual device authenticating)

Duo’s fraud detection can flag suspicious logins, either requiring additional verification or blocking access entirely.

Advanced Configuration Options

Device Posture Checking

Duo can verify device health before allowing VPN access:

• Device must have current OS patches
• Antivirus must be active
• Encryption must be enabled
• Device must not be jailbroken/rooted

Non-compliant devices can be required to:

• Provide additional authentication
• Be restricted to limited network segments
• Be blocked entirely

Location-Based Restrictions

Organizations can restrict VPN access by geography:

• Allow connections from home country
• Deny connections from high-risk countries
• Require additional auth from unexpected locations
• Block repeated access from different countries (impossible in normal time)

Risk-Based Authentication

Duo analyzes login risk, adapting authentication requirements:

• Low-risk logins (regular location, device, time) – Require only password + push
• Medium-risk logins (unusual device or location) – Require phone call confirmation
• High-risk logins (impossible travel speed) – Deny access

This adapts security to actual risk rather than one-size-fits-all requirements.

Troubleshooting Common Issues

“Duo Push Not Received”

Causes:

• Phone offline or WiFi not connected
• App not installed or updated
• Duo account not properly configured

Solutions:

• Verify phone has internet connectivity
• Update Duo app to latest version
• Regenerate Duo token in user account
• Test authentication with SMS code as backup

“Authentication Timeout”

Causes:

• User took too long responding to push notification
• Network connection dropped
• Duo service issue

Solutions:

• Retry authentication
• Check network connectivity
• If persistent, contact Duo support

“Unknown Device”

Causes:

• New device authenticating for first time
• Device not registered in Duo
• Device compromised/cloned

Solutions:

• Manually register device in Duo admin
• User re-registers device
• Investigate if device genuinely new

Best Practices for VPN + MFA

Enforce VPN for All Remote Access

Create policy that:

• All remote access requires VPN
• No direct connections bypassing VPN allowed
• VPN encryption enforced
• No option to disable MFA

This eliminates attack vectors through non-VPN access.

Regular Policy Review

Periodically audit:

• Which users have VPN access (remove departed employees)
• Which devices have been registered
• Authentication logs for unusual patterns
• Compliance with device posture requirements

User Support and Training

Help users successfully authenticate:

• Provide clear setup instructions
• Create video walkthrough of VPN setup
• Explain why MFA is necessary
• Offer quick support for issues
• Celebrate adoption milestones

Incident Response Procedures

Plan for security incidents:

• Compromised password: Reset immediately
• Lost/stolen device: Remove from Duo
• Unauthorized access attempts: Investigate and notify
• Breach suspicion: Review all VPN access logs

Quick response containing incidents minimizes impact.

Comparing VPN Authentication Methods

Different authentication methods balance security and usability:

Method	Security	Usability	Cost
Password only	Low	High	None
Password + SMS code	Medium	Medium	Low
Password + Duo push	High	High	Moderate
Hardware token	Very High	Low	High
Biometric	Very High	High	High

For most organizations, password + Duo push provides optimal balance.

Scaling VPN + MFA

For Small Organizations (10-50 users)

• Cloud-hosted Duo service sufficient
• Single Cisco Meraki MX appliance handles VPN
• Straightforward RADIUS configuration

For Medium Organizations (50-500 users)

• Duo deployment options including on-premises RADIUS proxy
• Multiple MX appliances across locations
• Redundancy and load balancing needed

For Enterprise Organizations (500+ users)

• Multiple VPN gateways for load balancing
• Geo-distributed RADIUS proxies
• Advanced Duo policies and conditional access
• Integration with identity provider (Active Directory, Okta)

Work with Stratus Information Systems to properly scale Meraki VPN + MFA for your organization size.

Security in a Remote-First World

Remote work is permanent infrastructure now, not temporary exception. Protecting remote access requires:

• Strong authentication (passwords + MFA)
• Network encryption (VPN)
• Device verification (device posture checking)
• Continuous monitoring (login analytics)
• Incident response (quick reaction)

Meraki VPN combined with Duo MFA provides foundational security for remote access. Organizations implementing this combination significantly reduce their remote access attack surface.

For organizations deploying or improving remote access security, Stratus Information Systems helps implement solutions providing both strong security and good user experience. The combination of Cisco Meraki VPN and Duo MFA represents industry best practice for securing distributed workforces.