I have just checked that there is no Secure Client included in Secure Connect, so I would consider my question now as  terminating VPN on the MX

@RobustMeraki , perhaps you would like to take a look at this design guide.

To my understanding: AnyConnect is the remote user client vpn software in the SASE solution context. The AnyConnect software that a user install in their laptop.  It was renamed to "Cisco Secure Client".

Thanky Gary for your reply. What if the customer purchases the 3 Solutions Standalone Meraki, Secure Client Licenses plus Cisco DUO. How will the working see in that case. The customer also wants to use DUO in a way that they dont have to put in Tokens when authentication is done and this should be done in the background without the client having to give in any such tokens.

How Duo operates is a question for the Duo folks. I have some limited knowledge and Duo optional has the requirement to do an enhanced MFA where a code is displayed on your computer screen and you have to type that code in on your phone. For scenarios outside of Secure Connect, i would ask on the VPN termination in the Meraki MX space. 

Hey Gary,

To your point above- The client-based ZTNA feels much like Always-on VPN but uses new technology that faster and more secure while providing an optimal user experience. The end user registers the first time using SAML and then a certificate is stored in TPM. The user does not have to login again in most cases. 

What solution are you talking about with Client based ZTNA? Do you mean Secure Access by that? What all licenses do I need for me to be able to use Always on VPN using a certificate encrypted by TPM.

If it is not possible only with Anyconnect only. Could you provide me all the licenses that I would need for a scenario considering we want to do this on one person? I will then multiply the user licenses and offer

If you have less than 10 applications you want to use client based ZTNA with you can use "Cisco Secure Connect Complete Essentials", otherwise you need "Cisco Secure Connect Complete Advantage".

https://www.cisco.com/c/en/us/products/collateral/plus-as-a-service/secure-connect-now-ds.html

Secure Connect now offers client-based ZTNA. Client-based ZTNA is included in the Secure Connect Complete Essentials and Secure Connect Complete Advantage packages. 

Always-on VPN is not supported in Secure Connect at all at this time. 

Hi RobustMeraki,

For this you can go SAML and integrate Duo with Passwordless (if you have the needed requirements for Windows Hello, from hardware and licensing perspectives). Or can you use a phone one button validation (coupled with risk based authentication, to ask for a code only in risky situations). Or you could use DUO with a FIDO2 or U2F device such as yubikey, to validate any auth by simply touching it.

Hi Gary,

Cisco Employee here, from the Security side of the house. Cisco Secure client VPN module on Windows does not mandate existence of a TPM, however it will definitely support TPM if there is one for certificate based authentication. (Independently from the kind of headend, it's terminated on).

Untested.

I never tested as well, but I think having SAML and Always ON feature together fits your customer's use-case.

You can have the AnyConnect client vpn software configured with a custom profile where the Always ON feature is enabled. You can read more about it here.

I would also Make sure that MX option Session Timeout is "None" ; doing this would allow a remote user to stay connected regardless of network activity over the tunnel and also reconnect when laptop resumes from sleep state.