AnyConnect Client with Raduis Authentication

DTheMan
Here to help

AnyConnect Client with Raduis Authentication

Hello Everyone, 

 

I configured AnyConnect Client feature on MX250 and pointed the authentication to our internal radius server setup. from MX250 I could ping the raduis server without any problem. I am able to get Azure MFA authentication when I try to connect to VPN but I get an error login failed. 

 

Has anyone implemented  AnyConnect VPN Client with radius server?

2 REPLIES 2
KarstenI
Kind of a big deal
Kind of a big deal

I am using it with RADIUS to the Cisco ISE and also to the DUO-Auth-Proxy for MFA. Works fine.

I would assume that you are using it against the NPS on your Domain? Then you should find some information in the Security Event-Log and/or the NPS-Log.

 

Also capturing the RADIUS-Packets and looking into the RADIUS Communication can sometimes help.

PhilipDAth
Kind of a big deal
Kind of a big deal

Filter the security event log on the NPS server for event IDs 6272 and 6273.  Do they say they allowed for denied connection?  If they say NPS denied the connection - why - and then fix the NPS rules.

 

If the connection was allowed, make sure you have increased the default RADIUS time out for AnyConnect to at least 30s (needs to be enough time for the push event to be sent to the user, the user to acknowledge it, and NPS to respond to the MX).

 

PhilipDAth_0-1651692324194.png

 

 

 

On a personal note; I've deployed NPS+Azure MFA a lot.  I don't recommend it to clients.  Typically you can expect it to stop working 1 to 2 times a year.  The debugging is poor.  You usually end up floundering around re-installing things until you randomly get it working again.

Instead, use SAML against AzureAD.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur... 

 

If you really need to use RADIUS based authentication - I would strongly recommend using Duo.  Rock-solid.  You won't have to touch it again after installation.  Worth the extra money for the reliability.

https://duo.com/docs/meraki-radius 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels