AnyConnect Certificate-only authentication beta experiences

zeestrat-nina
Here to help

AnyConnect Certificate-only authentication beta experiences

Anyone part of the AnyConnect certificate-only authentication beta who can share their experiences?
We're on the waiting list, but would like to hear if it's working OK for folks and how the AnyConnect behavior is for the end user.
Does it support Start Before Logon (SBL) with machine certificates for example?
We're migrating from MS Always On VPN and looking to make AnyConnect as seamless/hidden as possible.

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Every client that has had me deploy "Always on" - has had me remove it.  And it's not because it didn't work.

 

I would say the majority of the cases were due to cyber insurance or audit requirements requiring MFA.  Personally, I consider certificates better - but these days, there is often a hard requirement for MFA.

 

Nearly every AnyConnect deployment I have done recently used SAML against things like Cisco Duo or AzureAD.

 

Certificate-based authentication does support "Start before login" using machine certificates.  SAML does not.

 

 

I just checked on one client dashboard - certificate authentication is not a beta feature.  It is a production feature available for everyone to use.

 

PhilipDAth_0-1687464997726.png

 

zeestrat-nina
Here to help

Thanks for the response @PhilipDAth.
I am with you on SAML being the preferred way and it works great when testing it on MX (even though we're pretty happy using machine certs and Always On VPN today).

However it does not cover the use case of SBL or (management tunnels which are still ASA only) to allow clients access to on-prem DC in case of remote onboarding or credential cache updates.
It also seems to be impossible to have multiple/different AnyConnect VPN profiles/authentication methods on the same MX so we cannot easily setup an alternative profile just for cases where SBL is needed.
How do you usually handle these requirements?

P.S. I might be slow, but I do not see how you can choose Certificate-only in the Authentication Type option and the AnyConnect Authentication Methods page says that it is in beta (see screenshot). Am I missing something obvious?

zeestratnina_0-1687510536872.png

PhilipDAth
Kind of a big deal
Kind of a big deal

>How do you usually handle these requirements?

 

Most of the customers gave up on the capability of having SBL to meet their compliance requirements.  One client - they had me setup AnyConnect on a second MX that used simple username/password purely for IT people to use to be able to remove join computers.

 

I was not aware that certificate-only had become an option.  I thought it could only be used as a secondary method of authentication.  Thanks for the info!

zeestrat-nina
Here to help


@PhilipDAth wrote:

>How do you usually handle these requirements?

 

Most of the customers gave up on the capability of having SBL to meet their compliance requirements.  One client - they had me setup AnyConnect on a second MX that used simple username/password purely for IT people to use to be able to remove join computers.

I see, thanks for sharing. I was thinking of doing a similar thing as that should cover the few times where it is necessary. Perhaps Meraki will support management tunnels like on ASA in the future which is a lot cleaner than SBL.

Thanks again @PhilipDAth!

JamesPickup
Here to help

Hi zeestrat-nina

 

Did you make any progress with this?  We are looking to have a hidden VPN too, just wondering if you progressed from the waiting list, as we are still waiting.

 

thanks

 

James

zeestrat-nina
Here to help

Hi @JamesPickup, yes, we got access to the beta and it works pretty well.
I am a bit dissappointed in the AnyConnect (Secure Client) VPN client but that I guess that's not Meraki's fault.
It doesn't seem to be possible to configure it to stay hidden at all times as it still pops up a bit here and there when changing networks (especially on trusted networks such as corporate network).
If someone has more experience with the client and knows if it can be done, that would be much appreciated.

I haven't gotten SBL to work yet and I am not sure if it is supported or just me struggling with the profile settings for the certificates.

JamesPickup
Here to help

thank you, sounds reasonably promising!

 

jhwong81
New here

@zeestrat-nina I've been able to get beta access for a while now and have not been able to get cert based authentication to work. For the time being I'm using SAML authentication with AAD but looking to go cert only. We are a mostly Mac shop and when I upload my cert to the MX and test computer I just get the dreaded Certificate Validation Failure. 

 

Do you happen to have any steps, tutorials, tips, tricks or idea what I may be doing wrong? 

Get notified when there are additional replies to this discussion.