Integration of CISCO Meraki with DoubleClue using RADIUS

1. Introduction

This guide is intended to help administrators to use DoubleClue Multi-Factor Authentication (MFA) together with their CISCO Meraki product.

2. Preparing DCEM as a RADIUS Server

You need to add a “NAS Client” configuration in DoubleClue Enterprise Management (DCEM).

  1. In DCEM, go to main menu item “RADIUS”, sub menu “NAS Clients” and click on “Add”.
  2. The “IP Number” must be the source IP of the CISCO Meraki appliance.
  3. Do not enable the checkbox “Use Challenge”.
  4. Click on “OK”. The configuration will be active immediately after that.

3. CISCO Meraki Configuration

Here you can see a typical CISCO Meraki RADIUS configuration.

Please verify that the port matches with the port configured in DCEM, which you can view under main menu item “RADIUS”, sub menu “Preferences”.

4. Timeout Configuration

DoubleClue verwendet mobile Endgeräte für die MFA. Während der Authentifizierungsphase benötigt der Benutzer möglicherweise einige Zeit, um sein Mobilgerät einzuschalten, die DoubleClue-App zu starten und die Meldungen zu bestätigen.

4.1 CISCO Meraki Timeout

The default timeout for CISCO Meraki is 5 seconds for 3 attempts. In total this means that users have only 15 seconds, which may be too short. We recommend extending this timeout period.

You cannot change the timeout period in the CISCO Meraki configuration GUI. Please contact Meraki Support at https://meraki.cisco.com/support/ to change it.

We recommend 60 seconds x 3 attempts.

4.2 Windows 10 Timeout

The default Windows 10 VPN Client timeout is 30 seconds, which may be too short for users to switch on their mobiles and confirm the authentication message.

In order to increase the timeout period, you have to change the following windows registration settings.

We recommend extending this period to 3 minutes, too. The Windows 10 Client repeats at a rate of 3 seconds, so we will set the number of repetitions to 60:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPPMaxConfigure = 60 (decimal)

and

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPPMaxFailure = 60 (decimal)