Meraki

Community

Running VPN Anyconnect RADIUS Servers in Tandum during migration to Duo 2fa

Iainjh
Comes here often
‎Jan 17 2024 3:07 AM
‎Jan 17 2024 3:07 AM

Running VPN Anyconnect RADIUS Servers in Tandum during migration to Duo 2fa


The Meraki Client VPN AnyConnect profile in Meraki is configured with three RADIUS servers.  When I try to connect, it’s defaulting to the first RADIUS server using NPS.   

 

The last Duo server I want Duo Users to use.   This would work if there were only duo servers in the list. 

However, is there a way to force the AnyConnect profile to use the Duo server as a connection? 

 

This would allow us to work with NPS and Duo in tandem. 

But if I can’t get the NPS and Duo to work in tandem it will have to be a big bang approach to switchover,  getting everyone enrolled into Duo First and then switching RADIUS servers over to the last Duo one.

Thanks

 

 

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 17 2024 3:22 AM
‎Jan 17 2024 3:22 AM

These are the options you have to integrate with DUO.

 

https://help.duo.com/s/article/7505?language=en_US

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Iainjh
Comes here often
‎Jan 17 2024 3:38 AM
‎Jan 17 2024 3:38 AM

Hi Alemabrahao,  

Yes, I do know you can protect Cisco Anyconnect with Duo.  We already have clients like that.  
The problem I am having is, I'd like to force a VPN profile into using the correct RADIUS server during login.  

Currently they all default to the RADIUS/NPS server, and I need anyone who is the correct group to be automatically routed to the RADIUS/DUO Auth Proxy server.  

So when we migrate users we can ensure they will start using the Duo Proxy.  


0 Kudos
In response to Iainjh
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 17 2024 3:43 AM
‎Jan 17 2024 3:43 AM

The choice is made following the sequence of servers from top to bottom, you will only use the next server if the first is unavailable.
 
The only way would be to change the order of the servers.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 17 2024 11:26 AM
‎Jan 17 2024 11:26 AM

First of all, I would recommend using SAML to authenticate AnyConnect against Duo - it is much more flexible and powerfull.

https://duo.com/docs/sso-meraki-secure-client 

 

If you want to use RADIUS, I normally leave NPS on port 1812, and setup the Duo Auth Proxy on port 1912 (make sure to configure Windows Firewall to allow it).

 

Then when you change over, just change the port in the Meraki portal.  If you want to roll back, change the port back.

0 Kudos
In response to PhilipDAth
Iainjh
Comes here often
‎Jan 17 2024 12:54 PM
‎Jan 17 2024 12:54 PM

Just looking at the documentation for SAML. I don't even see how it relates to Cisco Anyconnect VPN?  

 

0 Kudos
In response to Iainjh
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 18 2024 7:26 AM
‎Jan 18 2024 7:26 AM

What about this one? https://duo.com/docs/sso-meraki-secure-client

Perhaps you might be confused when reading "Secure Client". It's basically Anyconnect Version 5 (with other benefits) 😉

0 Kudos
In response to CptnCrnch
Iainjh
Comes here often
‎Jan 19 2024 5:42 AM
‎Jan 19 2024 5:42 AM

Again,  These solutions will not work for the VPN clients requiring Duo access.  

I need the clients apps to intelligently know which RADIUS server to use and there seems to be no way to configure that for Cisco Anyconnect VPN clients.  

0 Kudos
In response to Iainjh
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 19 2024 5:55 AM
‎Jan 19 2024 5:55 AM

The choice is in accordance with the order defined in the list of servers configured in the MX VPN Client.

 

And yes, you can use SAML with Anyconnect.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#SAML_Au...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Iainjh
Comes here often
‎Jan 23 2024 1:34 AM
‎Jan 23 2024 1:34 AM

I also tested the order of the RADIUS Servers and it makes no difference.  It always defaults to the NPS RADIUS server.    Unless I remove NPS the Duo RADIUS will not connect.  

 

Also SAML is not a solution.  

0 Kudos
In response to Iainjh
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 30 2024 1:16 AM
‎Jan 30 2024 1:16 AM

Clients never directly talk to the RADIUS server, that's the way the protocol is built. There's no way you will achieve this one on the client side.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.