AnyConnect SAML Group Policy assignment

Ruben2
Here to help

AnyConnect SAML Group Policy assignment

Does anyone know of a way to assign a group policy to a VPN Session via SAML Authentication?

 

With radius Authentication you can pass back an attribute that would put the VPN Session into a Group Policy.

Is this possible with SAML Authentication as well?

48 Replies 48
Inderdeep
Kind of a big deal
Kind of a big deal

@Ruben2 : check this out 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

You can't do it ... yet.

Lukef
Here to help

Is this still the case?

PhilipDAth
Kind of a big deal
Kind of a big deal

It is still the case.

joaro
Conversationalist

@PhilipDAth 
Do you know if there is an update to this?

PhilipDAth
Kind of a big deal
Kind of a big deal

It is still a work in progress.

thomasthomsen
Kind of a big deal

".... yet" ... have you heard anything about this being talked about ? 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

Alas it is still a work in progress.

znet
Conversationalist

Do you know if an early access release is planned?

PhilipDAth
Kind of a big deal
Kind of a big deal

I have asked this myself.  I don't think there is much motivation to do this at the moment.

thomasthomsen
Kind of a big deal

have anyone noticed that this (Group Policy) does not even work statically with anyconnect and SAML ?

I just tested with a customer, and the static Group policy in the config (at the very bottom of the page) does nothing.

It works fine in non-SAML ... how strange.

El-Bandito
Here to help

@PhilipDAth   Hey Philip,  you seemed pretty helpful wanted to ask you about this topic.   I am trying to do Cisco AnyConnect w/ SAML authentication with Microsoft Azure..  do you know if this is still a limitation where group policy cannot be applied if SAML is being used? 

And if it's not possible, is there any workaround for it?  I was looking at Azure, and their conditional access policies don't support time-based restrictions.. which is what I'm trying to implement in group policy. 

Our company has a requirement where VPN access has to be restricted from 8am-5pm.  

PhilipDAth
Kind of a big deal
Kind of a big deal

>do you know if this is still a limitation where group policy cannot be applied if SAML is being used? 

 

It is being worked on, but is not available today.

 

>Our company has a requirement where VPN access has to be restricted from 8am-5pm.

 

I haven't tried this - but try configuring the default AnyConnect group policy and put a schedule in there.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

You might need to do something like configure the firewall rules to block everything, and then use the schedule to allow access.

 

MichielQ
Conversationalist

It baffles me for how long SAML is already supported for AnyConnect, but group policy support has been missing ever since. It's just not a viable authentication mechanism if you would like to design separate access policies in Meraki dashboard. Hopefully the team at Secure Client puts this somewhere at the top of their list.

El-Bandito
Here to help

We're now headed in a different direction.  Going with Fortigate for SSLVPN w/ SAML Authentication to O365.  Without rules for vpn traffic, we can't continue to use Meraki.

znet
Conversationalist

We are waiting for this very important function too and hope that meraki will implement this soon!

MichielQ
Conversationalist

Still eagerly awaiting this as well. Support for SAML assertion attributes, which can be used to make DAP policy selections, has been added in ASA 9.17 (almost 2 years ago!), but still no news on Meraki side. 😞

Wojciech
New here

This is an essential function we are missing. Come on Meraki team!

El-Bandito
Here to help

This has actually forced us to move on to a different firewall, that supports basic enterprise features like this. 

MichelSchuurman
Conversationalist

Our company is also in desperate need for this to function. We have this working through ASA but that is the only function of the ASA at the moment since Meraki still doesn't support SAML Groups policies.

 

MichielQ
Conversationalist

Want to raise attention to this issue once more. There is still a need for this functionality to be implemented, so hoping Meraki development team finally takes notice. Authentication & Control methods need to be revamped to be on par with other industry leaders.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy", then they'll turn it on for you.

 

Once enabled you'll see this:

PhilipDAth_0-1724065206685.png

 

znet
Conversationalist

Hello PhilipDAth,

 

Thank you for the information. It's good to know that Meraki is working on this feature and that we can use it in beta!

 

Do you know if we can define multiple group policies for different SAML groups?

GIdenJoe
Kind of a big deal
Kind of a big deal

Oh wow, this would be handy no longer requiring Radius to get this functionality.
I don't know anything of SAML itself.
How can you map Entra ID groups to group policies then?

PhilipDAth
Kind of a big deal
Kind of a big deal

To answer @znet and @GIdenJoe , if you are using Entra ID you can map Entra groups to Meraki group policies.  There are several ways of doing it.  Basically you pass whatever Meraki group policy you want applied to the user in the SAML attribute (called "vpnfilter" in my example - but you can call it anything you like).

 

Basically you can say if you are a member of "this" list of groups, apply this policy ("VPN-Humans" in this example).  You can keep adding more and more criteria and specifying different Meraki group policies to apply.

 

PhilipDAth_0-1724103763265.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>would be handy no longer requiring Radius to get this functionality

 

One of the nice things is that it doesn't require any compute on-premise to be working.  You can have your whole VMWare farm down, you can have all your servers wiped out by CrowdStrike - and you can still VPN in like normal.

GIdenJoe
Kind of a big deal
Kind of a big deal

Oh great.  So with this new feature you reference in Meraki dashboard the name of the attribute you have added to the Entra ID users.  In this case this is vpnfilter.

 

And then per group you can define the value inside that attribute to match the group policy name you want applied in dashboard?

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.

fb
Conversationalist

This is a great feature! I was able to add the attribute in the "Attributes & Claims" area of the Entra ID Enterprise App, but cannot find where to reference the attribute in the Meraki Dashboard. I'm trying to use this config to dynamically assign a group policy for the Cisco VPN client / SAML.

Any hint on how to accomplish this in the Meraki client vpn config?

PhilipDAth
Kind of a big deal
Kind of a big deal

Send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy".  Then they'll turn it on for you.

thomasthomsen
Kind of a big deal

I tried writing that email last week no response unfortunately 😕

Did anyone else had any luck ?

PhilipDAth
Kind of a big deal
Kind of a big deal

I have also managed to get support to turn it on before - but many of them don't know how yet.  You need to ask for "AnyConnect SAML Group Policy" to be enabled.

thomasthomsen
Kind of a big deal

I asked support, and they enabled it for me 🙂

Now ... the big question, where to find documentation, because even though you have provided a screenshot from Azure, that really does not tell me, a non-Azure speaking person, much 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

There is more than one way to do this.  Start at https://entra.microsoft.com/, go into Applicatoins/Enterprise Applications/<select your AnyConnect app>/Single Sign On, and edit (2) Attributes & Claims.

 

PhilipDAth_0-1725961238324.png

 

Then click "Add new claim".  For the name enter "vpnpolicy".  Expand "Claim Conditions".  Set "User Type" to "Members".  For "Scoped Group" select an existing Entra ID group.  For the "Source" put "Attribute".

The attribute field is a down down list - but that is just a guide.  Instead just type in the Meraki group policy that you want to apply.

Add as many claim conditions as required to match Entra ID groups to Meraki group policies.

PhilipDAth_1-1725961557201.png

 

I prefix my group policies that are used for VPNs with VPN- but you can use whatever naming convention you want.

 

On the Meraki side, make sure you put the same claim name in the AnyConnect config, in this case, vpnpolicy.

 

PhilipDAth_0-1725964905786.png

 

 

thomasthomsen
Kind of a big deal

In your example, Im a little confused how "vpnfilter" is used ... your claimname (in the sceenshots), is "vpnpolicy" ? .. so would that not be the correct config ?

I know its just a screenshot thing .. but just to be sure.

PhilipDAth
Kind of a big deal
Kind of a big deal

Buggar.  Change vpnfilter to vpnpolicy.

KarstenI
Kind of a big deal
Kind of a big deal

Do you know if this can also be done with Duo? If so, I'll also try to activate it.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

It is much easier doing it with Duo.  Define "Role Attributes" so it looks like this:

 

PhilipDAth_0-1725969055388.png

"VPN-Humans" is the Meraki group policy to apply.

KarstenI
Kind of a big deal
Kind of a big deal

This looks so good; I wish I had this from day one of SAML ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
fb
Conversationalist

I ended up calling Meraki's support and they were able to enable the feature. It's working like a charm!

They should have this enabled for all organizations. Manually assigning the group policies is not practical, even for SMBs.

This thread is a life saver. Thank you very much for sharing!

PhilipDAth
Kind of a big deal
Kind of a big deal

Every now and then I try to encourage Meraki to release it as an Early Access feature that can be enabled via the dashboard.

Ste
Comes here often

Dear @PhilipDAth 

 

any new about early access for this features?

is something that we are looking forward.

 

thank you

BjornAx
Conversationalist

While it's not possible to activate by yourselves it is possible to get it. We are using it now and working as it should.

 

Just create a support ticket in your dashboard and ask to enable Anyconnect SAML group policy.

PhilipDAth
Kind of a big deal
Kind of a big deal

I have not heard anything about it being made available via the Early Access program.

RobbyMcCarrell
Comes here often

Does anyone have any info on how to do this with Okta?

BjornAx
Conversationalist

Thank you all for this information. We are changing from the Meraki VPN solution to anyconnect and we use group policies.

 

I have just emailed meraki to enable it for us so i hope they do it soon.

 

Thank you @PhilipDAth for that guide. 🙂

nikolaycholakov
Conversationalist

What is an example scenario to test this implementation?

YoinkZ
Getting noticed

@PhilipDAth Much appreciated!
I have been used to build most of my VPN connectivity around DAP, so this was a huge problem when we started to move towards Meraki. At the moment I still stay with my old ASA's as VPN Concentrators for only this feature.

 

Hopefully when Meraki enable the SAML Group Policy thing it will start working!

Get notified when there are additional replies to this discussion.