Cisco DUO, Anyconnect, Meraki

RobustMeraki
Getting noticed

Cisco DUO, Anyconnect, Meraki

My client wants to use Meraki Firewalls along with Cisco Secure Client (Anyconnect) with Always on feature with MFA Duo.

 

Their question is the following - Would it be possible to configure a Multi-Factor Authentication (MFA with DUO) with Always ON VPN (Any Connect) using a certificate encrypted via TPM?

 

#Secureconnect #Duo #Secure Client # Meraki

14 Replies 14
Gary_Geihsler1
Meraki Employee
Meraki Employee

Is your question in context of Secure Connect or considering terminating VPN on the MX itself?

RobustMeraki
Getting noticed

I have just checked that there is no Secure Client included in Secure Connect, so I would consider my question now as  terminating VPN on the MX

Tony-Sydney-AU
Meraki Employee
Meraki Employee

@RobustMeraki , perhaps you would like to take a look at this design guide.

 

To my understanding: AnyConnect is the remote user client vpn software in the SASE solution context. The AnyConnect software that a user install in their laptop.  It was renamed to "Cisco Secure Client".

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Gary_Geihsler1
Meraki Employee
Meraki Employee

Secure Client is included with Secure Connect. Secure Connect is our Unified SASE solution that facilitates secure access to the internet, secure access to private applications/resources (via VPNaaS, client-based ZTNA, and clientless ZTNA), and SD-WAN Interconnect. 

Currently Secure Connect does not support Always-on VPN. Always-On VPN is typically done via certificate authentication. Certificate authentication for VPN does not utilize TPM. 

The client-based ZTNA feels much like Always-on VPN but uses new technology that faster and more secure while providing an optimal user experience. The end user registers the first time using SAML and then a certificate is stored in TPM. The user does not have to login again in most cases. 

RobustMeraki
Getting noticed

Thanky Gary for your reply. What if the customer purchases the 3 Solutions Standalone Meraki, Secure Client Licenses plus Cisco DUO. How will the working see in that case. The customer also wants to use DUO in a way that they dont have to put in Tokens when authentication is done and this should be done in the background without the client having to give in any such tokens.

Gary_Geihsler1
Meraki Employee
Meraki Employee

How Duo operates is a question for the Duo folks. I have some limited knowledge and Duo optional has the requirement to do an enhanced MFA where a code is displayed on your computer screen and you have to type that code in on your phone. For scenarios outside of Secure Connect, i would ask on the VPN termination in the Meraki MX space. 

RobustMeraki
Getting noticed

Hey Gary,

 

To your point above- The client-based ZTNA feels much like Always-on VPN but uses new technology that faster and more secure while providing an optimal user experience. The end user registers the first time using SAML and then a certificate is stored in TPM. The user does not have to login again in most cases. 

 

What solution are you talking about with Client based ZTNA? Do you mean Secure Access by that? What all licenses do I need for me to be able to use Always on VPN using a certificate encrypted by TPM.

 

If it is not possible only with Anyconnect only. Could you provide me all the licenses that I would need for a scenario considering we want to do this on one person? I will then multiply the user licenses and offer

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have less than 10 applications you want to use client based ZTNA with you can use "Cisco Secure Connect Complete Essentials", otherwise you need "Cisco Secure Connect Complete Advantage".

 

https://www.cisco.com/c/en/us/products/collateral/plus-as-a-service/secure-connect-now-ds.html

Gary_Geihsler1
Meraki Employee
Meraki Employee

Secure Connect now offers client-based ZTNA. Client-based ZTNA is included in the Secure Connect Complete Essentials and Secure Connect Complete Advantage packages. 

Always-on VPN is not supported in Secure Connect at all at this time. 

Martin_Briand
New here

Hi RobustMeraki,

For this you can go SAML and integrate Duo with Passwordless (if you have the needed requirements for Windows Hello, from hardware and licensing perspectives). Or can you use a phone one button validation (coupled with risk based authentication, to ask for a code only in risky situations). Or you could use DUO with a FIDO2 or U2F device such as yubikey, to validate any auth by simply touching it.

Martin_Briand
New here

Hi Gary,

Cisco Employee here, from the Security side of the house. Cisco Secure client VPN module on Windows does not mandate existence of a TPM, however it will definitely support TPM if there is one for certificate based authentication. (Independently from the kind of headend, it's terminated on).

PhilipDAth
Kind of a big deal
Kind of a big deal

>Cisco Secure Client (Anyconnect) with Always on feature with MFA Duo

 

No.  AlwaysOn requires certificate authentication to be used.

 

Well maybe.  If you configure certificate authentication and SAML via Duo, and configure a remembered device policy with Duo.

If you use a remembered device policy of (say) 30 days - then every 30 days the user would have to do MFA (which would break AlwaysOn), but then it would work again for the next 30 days.

PhilipDAth_0-1723640924204.png

 

 

This documenation is related:

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#Certifi...

 

https://help.duo.com/s/article/1012?language=en_US

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Untested.

Tony-Sydney-AU
Meraki Employee
Meraki Employee

I never tested as well, but I think having SAML and Always ON feature together fits your customer's use-case.

 

You can have the AnyConnect client vpn software configured with a custom profile where the Always ON feature is enabled. You can read more about it here.

 

I would also Make sure that MX option Session Timeout is "None" ; doing this would allow a remote user to stay connected regardless of network activity over the tunnel and also reconnect when laptop resumes from sleep state.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.