AnyConnect Azure MFA SMS

bd9999
Comes here often

AnyConnect Azure MFA SMS

I have been testing AnyConnect configured with RADIUS authentication. I need to be able to do MFA using Azure, I have this working using the NPS Extension for azure MFA on a windows NPS server but only for push notifications using the Microsoft Authenticator app. In Azure the Authenticator app has to be set as the default for the user for it to work.

 

Is there a way to use the AnyConnect app for MFA methods that are not push, for example is there someway to be able to type in an SMS or authenticator code? There doesn't seem to be any field to enter it, if you enter a username/password it just kicks you out back to the username/password screen and then you receive an SMS code but there is no where to enter it in the anyconnect client.

 

SAML using Azure lets you select the MFA method because it redirects you to the normal Microsoft login page however SAML doesn't (at least not that I can see) offer a way to have separate vpn groups with different permissions in the way the RADIUS does with the filter-id and group policies.

 

Has anyone found a way to make this work?  

 

5 Replies 5
MerryAki
Building a reputation

Aside from the push notification you should be able to use the offline code from MS Authenticator aswell (a time based code that changed every few seconds)

 

For the user specific settings in Azure I would try to change it via https://aka.ms/MFAsetup

(From the admin side you can also configure the sign in methods you want to provide)

Another option for the user is hitting ,use another option’ at the sign in page.

 

AFAIK there is no way to change the MFA method for a single application. 

bd9999
Comes here often

Thanks, but in the anyconnect client how do you actually enter an offline code? Maybe I'm missing something oblivious but I can't see a way to enter it. It only has fields for username and password.

MerryAki
Building a reputation

Oh sorry I thought that you are getting a field like ,enter confirmation’. Then the phone call (pressing #) or confirmation with the Authenticator are the only applicable options. 😕

MerryAki
Building a reputation

For WiFi authentication I found this topic:

https://community.meraki.com/t5/Wireless-LAN/MFA-Azure-for-SSID-Access/m-p/136766#M19154

certifactes over MFA prompt.

I would go for it with VPN tunnels, too. But feel free to share your experience if you’ve found a way.

PhilipDAth
Kind of a big deal
Kind of a big deal

Change to using SAML authentication directly against AzureAD - which uses SSO.  This then uses whatever you have configured in Azure AD.  Ideally, you'll want a subscription that gives you conditional access control in Azure to get fine grained control.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur... 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels