With the world becoming much more security conscious, I’m looking to lock things down a bit more with our 3rd party vendors like HVAC and other outside users. An example would be - putting all the HVAC stuff on it’s own VLAN, and block all in/outbound internet for it. In this example I’d also like to allow user ABC to log into the Client VPN connection on our Meraki MX firewall and have the IP handed to them be part of that same VLAN so they could only see the HVAC equipment and nothing else. No servers, no client machines, nothing interesting on an Angry IP scan, nothing interesting in verbose Wireshark mode, etc…
Can Meraki even do this - or is this more of a Radius server policy to hand out depending on the username/group membership that authenticates? If it is a radius deal, does anyone have some good guides to read up on for this type of thing?
What does everyone do for their tracking and governance of the currently connected users? Do you have anything that logs every IP they access, what protocols they used when accessing that IP, DNS hits, etc.? Basically I’d like to have a log to review of what people do when they connect to our VPN, even if I cannot segregate the networks and lock it down like I hope.
I don’t want to give out VPN access like in my example to the HVAC company, and get ransomware because they plugged in a USB stick and it spreads over the VPN - I figure limiting it to JUST specific VLAN(s) could mitigate some damage if this were to happen and in case anyone is wondering - yes I’m using HVAC as my example because of the Target breach many moons ago. 
I’ve used scrutinizer from plixer in the past, but there are many products avaialbe that can do what you are asking.
I don’t like to give vendors access to the network, so I usually do a combination of giving them an rdp or vdi in a dmz that only has access to specific systems on specific ports, while putting those systems in their own segregated networks. That remote connection environment would also have admin and escalation rights removed/locked down with updated antivirus and threat detection. (Also no internet access if avoidable.)
Anyconnect on MX is still technically in beta. (it logs connections/disconnections and authentication attempts, and you should be able to see connected clients if you filter by client VPN in the dashboard. It will show some traffic details for the connected client, but the level at which it does this may not be enough for you. You’d probably want a proper netflow connector/analyzer as I mentioned above).
If you’re going with Anyconnect, I don’t think you should put VPN clients on the same VLAN as your HVAC system. You’re going to need to dig into your ACLs and restrict VPN users from accessing any other part of your network. You’ll also need to make sure there’s no way they can jump off of the HVAC control system to other parts of your network.
Meraki MX now has AnyConnect integration for client vpn. You can set this up as you describe above. Check out their knowledge base for details.
I prefer to not let third parties connect a device “on my lan” meaning I won’t let them use a client vpn that would give their pc an ip on my network. Too risky. I’ll opt for a different solution that involves forcing them through a VDI or RDP session or something like citrix or azure virtual desktop. From there you could quarantine their vm in a separate network or dmz to control what they access.
See if your VPN software supports “split tunneling”.
It seems the mx side is pretty limited as there are no configuration options… or do you mean to pick up an ASA device and route through the MX? AnyConnect on ASA vs. MX - Cisco Meraki Documentation
If you want to do anything advanced with anyconnect I would definitely recommend using a firepower firewall instead of an mx. Asa appliances are going eol but they have same features at this point.
