AnyConnect SAML Group Policy assignment

Ruben2
Here to help

AnyConnect SAML Group Policy assignment

Does anyone know of a way to assign a group policy to a VPN Session via SAML Authentication?

 

With radius Authentication you can pass back an attribute that would put the VPN Session into a Group Policy.

Is this possible with SAML Authentication as well?

18 REPLIES 18
Inderdeep
Kind of a big deal
Kind of a big deal

@Ruben2 : check this out 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

You can't do it ... yet.

Is this still the case?

PhilipDAth
Kind of a big deal
Kind of a big deal

It is still the case.

joaro
Conversationalist

@PhilipDAth 
Do you know if there is an update to this?

PhilipDAth
Kind of a big deal
Kind of a big deal

It is still a work in progress.

".... yet" ... have you heard anything about this being talked about ? 🙂

Alas it is still a work in progress.

thomasthomsen
Head in the Cloud

have anyone noticed that this (Group Policy) does not even work statically with anyconnect and SAML ?

I just tested with a customer, and the static Group policy in the config (at the very bottom of the page) does nothing.

It works fine in non-SAML ... how strange.

El-Bandito
Here to help

@PhilipDAth   Hey Philip,  you seemed pretty helpful wanted to ask you about this topic.   I am trying to do Cisco AnyConnect w/ SAML authentication with Microsoft Azure..  do you know if this is still a limitation where group policy cannot be applied if SAML is being used? 

And if it's not possible, is there any workaround for it?  I was looking at Azure, and their conditional access policies don't support time-based restrictions.. which is what I'm trying to implement in group policy. 

Our company has a requirement where VPN access has to be restricted from 8am-5pm.  

>do you know if this is still a limitation where group policy cannot be applied if SAML is being used? 

 

It is being worked on, but is not available today.

 

>Our company has a requirement where VPN access has to be restricted from 8am-5pm.

 

I haven't tried this - but try configuring the default AnyConnect group policy and put a schedule in there.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

You might need to do something like configure the firewall rules to block everything, and then use the schedule to allow access.

 

It baffles me for how long SAML is already supported for AnyConnect, but group policy support has been missing ever since. It's just not a viable authentication mechanism if you would like to design separate access policies in Meraki dashboard. Hopefully the team at Secure Client puts this somewhere at the top of their list.

El-Bandito
Here to help

We're now headed in a different direction.  Going with Fortigate for SSLVPN w/ SAML Authentication to O365.  Without rules for vpn traffic, we can't continue to use Meraki.

znet
Conversationalist

We are waiting for this very important function too and hope that meraki will implement this soon!

MichielQ
Conversationalist

Still eagerly awaiting this as well. Support for SAML assertion attributes, which can be used to make DAP policy selections, has been added in ASA 9.17 (almost 2 years ago!), but still no news on Meraki side. 😞

Wojciech
New here

This is an essential function we are missing. Come on Meraki team!

This has actually forced us to move on to a different firewall, that supports basic enterprise features like this. 

MichelSchuurman
Conversationalist

Our company is also in desperate need for this to function. We have this working through ASA but that is the only function of the ASA at the moment since Meraki still doesn't support SAML Groups policies.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels