Hello, need some guidance if possible, we currently have no NPS and no Azure MFA, AnyConnect is used with LDAP with VPN configured on Meraki MX-100, O365 users use MS Authenticator for MFA. I need to add MFA to AnyConnect app. Is there a way of setting this up without NPS/Radius? Where do I start? Thanks
If your users are using the MS Authenticator app for Office 365, you should be able to SAML that to AzureAD and their existing MFA configuration would push. You’ll need to call Meraki support to have them turn on SAML in the Anyconnect settings. You may need AzureAD P1 (M365 Business Premium) or M365 E3 or above. I could be wrong. Meraki has a good article on setting it up.
We use Duo with Auth Proxy on a Windows Server and it works great (around 60-100 on VPN at a time)
Yeah, works like a clock, no issues for over 1200 AnyConnect users, we are on Azure P2 and I asked my Meraki/Azure engineers to follow these steps after getting some clarifications from Reddit community: Contact Mearki support and ask to enable SAML for AnyConnect,
Create AD test group for VPN users,
Move test users,
Follow this guide below: AnyConnect Azure AD SAML Configuration - Cisco Meraki Documentation
After initial testing they’ve also added additional security step which after entering AD credentials into AnyConnect app, the app displays a two digit number to be manually typed into the Microsoft Authenticator app for confirmation.
For this to work users must be on AnyConnect 4.0 version or above.
MFA via Azure AD Same authentication is the best solution for you, anyconnect on meraki is very limited in configurations
There’s a SAML guide :
You need azure ad or other Single sign on providers like otka. I got it working with azure as and it’s great
I deployed MFA with DUO using SAML and AZURE AD. Works well.
Hello – we want to do the same with Okta.
My first step is to figure out which AnyConnect license I need to purchase. Is there a SPECIFIC license that I need (I know a need A license)
My Merki rep said use Duo, but we already have a tool (Okta)… so I think AnyConnect is the way to go.
Did you ever get this to work natively with Azure MFA? I dont see the Anyconect app able to trigger the O365 popup to authenticate. We are stuck there and Meraki techs dont seem to have much experience with this yet.
This is the way. Works great.
Great, much appreciated, so after hitting connect button on AnyConnect client installed on a PC (I assume with SAML enabled they would no longer require to enter AD credentials) a user would get a prompt on their MS Authenticator app to accept VPN connection, correct?
Can confirm this is exactly what you need to do.
You also need to buy the Anyconnect license, and a specific flavour to gain the entitlement. According to meraki support it is based off of the number of users who are allowed to login, not the number of simultaneous users (though how they enforce that I have no idea).
It’s all done based on trust right now, so you can call them up without the licence but who knows, one day they may make you prove it.
Depends on the IdP settings, but the user would be presented with their Azure SAML login page. The IdP will then initiate the MFA after the user inputs their SAML credentials. Once the IdP authenticates, client will be let onto the VPN
Thanks again and apologies for all these questions, I’m fairly new to this, please correct me if I’m wrong, after users enter their Active Directory credentials (or would it have to be a different set of SAML credentials?) on SAML page, a push notification would be sent after to their MS Authenticator app to “Accept” a VPN connection? Would the SAML page launch automatically upon pressing connect button on AnyConnect app?
Does this work without the terrible enter email and password option? Doesn’t click and send too MFA app before asking credentials in some browser window from anyconnect
Questions are how we learn, no worries. When the user hits connect in the AnyConnect app, a M365 login box will pop up. They’ll type in their M366 credentials and will be MFA challenged, according to the auth methods you have configured.
Awesome, will work on it sometime tomorrow and if I have more questions I know now where to ask, many thanks guys to you all!
I tested today and it works great, the only little annoyance was that since I already had MS Authenticator App installed on my phone for O365 I had to re-register my MS account in the app to get MFA prompt for AnyConnect. Before I did that AnyConnect would let me connect right after entering my password. Cheers!