AnyConnect + Okta SAML - AnyConnect Browser Hanging/Freezing

AnthonyI
Getting noticed

AnyConnect + Okta SAML - AnyConnect Browser Hanging/Freezing

Hello,

 

We're using Okta with SAML to authenticate our users into our Meraki VPN through the Cisco AnyConnect client. We followed the configuration guidelines here.

 

Our user base consists of a combination of Mac's (Monterey 12.5+), Windows (10+), and Linux (Ubuntu 20.04+) machines.

 

When users try to connect to the VPN, an AnyConnect browser window pops up and directs them to enter their Okta credentials (screenshot 1 below). After they enter their password, they receive a 2FA prompt via Okta Verify on their registered device (screenshot 2 below). After they finish this step, they successfully connect to the VPN.

 

Some users, however, are having the AnyConnect browser window freeze after they do the 2FA challenge (screenshot 3). Although the logs in Okta show that they are successfully authenticating, they still cannot get on the VPN until they get past this step.

 

This used to happen less frequently but seems to be occurring more consistently for some users. Some attempted fix actions:

 

  • Restarting the machine
  • Reinstalling/updating Cisco AnyConnect
  • Restarting the MX-105 HA pair

 

Any ideas would be appreciated here. Thanks!

 

Meraki_Okta_Screenshot1.jpgMeraki_Okta_Screenshot2.jpgMeraki_Okta_Screenshot3.jpg

1 REPLY 1
TimRice
New here

This is because of the requirement for SSO Extensions that are required for this to work on a Macintosh.

I believe Cisco should allow chrome or firefox to be used for the authentication.  BTW, this SSO Extension is delivered via a Macintosh Profile that MUST be delivered by an MDM.  It is a big pain because not everyone uses a MDM for their Macintosh.

 

We pushed this SSO Extension via a MDM, and things work. 

Cisco, please update your VPN to use anything other then the macos.ascocket extension or allow companies to be able to leverage a different browser for the WebAuthn authentication.

com.cisco.anyconnect.macos.acsockext.systemextension/Contents/MacOS/com.cisco.anyconnect.macos.acsockext

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels