Meraki Community

Is this still the case?

It is still the case.

@PhilipDAth 
Do you know if there is an update to this?

It is still a work in progress.

".... yet" ... have you heard anything about this being talked about ? 🙂

Alas it is still a work in progress.

Do you know if an early access release is planned?

I have asked this myself.  I don't think there is much motivation to do this at the moment.

>do you know if this is still a limitation where group policy cannot be applied if SAML is being used? 

It is being worked on, but is not available today.

>Our company has a requirement where VPN access has to be restricted from 8am-5pm.

I haven't tried this - but try configuring the default AnyConnect group policy and put a schedule in there.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

You might need to do something like configure the firewall rules to block everything, and then use the schedule to allow access.

It baffles me for how long SAML is already supported for AnyConnect, but group policy support has been missing ever since. It's just not a viable authentication mechanism if you would like to design separate access policies in Meraki dashboard. Hopefully the team at Secure Client puts this somewhere at the top of their list.

This has actually forced us to move on to a different firewall, that supports basic enterprise features like this. 

If you send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy", then they'll turn it on for you.

Once enabled you'll see this:

Hello PhilipDAth,

Thank you for the information. It's good to know that Meraki is working on this feature and that we can use it in beta!

Do you know if we can define multiple group policies for different SAML groups?

Oh wow, this would be handy no longer requiring Radius to get this functionality.
I don't know anything of SAML itself.
How can you map Entra ID groups to group policies then?

To answer @znet and @GIdenJoe , if you are using Entra ID you can map Entra groups to Meraki group policies.  There are several ways of doing it.  Basically you pass whatever Meraki group policy you want applied to the user in the SAML attribute (called "vpnfilter" in my example - but you can call it anything you like).

Basically you can say if you are a member of "this" list of groups, apply this policy ("VPN-Humans" in this example).  You can keep adding more and more criteria and specifying different Meraki group policies to apply.

>would be handy no longer requiring Radius to get this functionality

One of the nice things is that it doesn't require any compute on-premise to be working.  You can have your whole VMWare farm down, you can have all your servers wiped out by CrowdStrike - and you can still VPN in like normal.

Oh great.  So with this new feature you reference in Meraki dashboard the name of the attribute you have added to the Entra ID users.  In this case this is vpnfilter.

And then per group you can define the value inside that attribute to match the group policy name you want applied in dashboard?

Correct.

This is a great feature! I was able to add the attribute in the "Attributes & Claims" area of the Entra ID Enterprise App, but cannot find where to reference the attribute in the Meraki Dashboard. I'm trying to use this config to dynamically assign a group policy for the Cisco VPN client / SAML.

Any hint on how to accomplish this in the Meraki client vpn config?

Send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy".  Then they'll turn it on for you.

I tried writing that email last week no response unfortunately 😕

Did anyone else had any luck ?

I have also managed to get support to turn it on before - but many of them don't know how yet.  You need to ask for "AnyConnect SAML Group Policy" to be enabled.

I asked support, and they enabled it for me 🙂

Now ... the big question, where to find documentation, because even though you have provided a screenshot from Azure, that really does not tell me, a non-Azure speaking person, much 🙂

There is more than one way to do this.  Start at https://entra.microsoft.com/, go into Applicatoins/Enterprise Applications/<select your AnyConnect app>/Single Sign On, and edit (2) Attributes & Claims.

Then click "Add new claim".  For the name enter "vpnpolicy".  Expand "Claim Conditions".  Set "User Type" to "Members".  For "Scoped Group" select an existing Entra ID group.  For the "Source" put "Attribute".

The attribute field is a down down list - but that is just a guide.  Instead just type in the Meraki group policy that you want to apply.

Add as many claim conditions as required to match Entra ID groups to Meraki group policies.

I prefix my group policies that are used for VPNs with VPN- but you can use whatever naming convention you want.

On the Meraki side, make sure you put the same claim name in the AnyConnect config, in this case, vpnpolicy.

In your example, Im a little confused how "vpnfilter" is used ... your claimname (in the sceenshots), is "vpnpolicy" ? .. so would that not be the correct config ?

I know its just a screenshot thing .. but just to be sure.

Buggar.  Change vpnfilter to vpnpolicy.

Do you know if this can also be done with Duo? If so, I'll also try to activate it.

It is much easier doing it with Duo.  Define "Role Attributes" so it looks like this:

"VPN-Humans" is the Meraki group policy to apply.

This looks so good; I wish I had this from day one of SAML ...

I ended up calling Meraki's support and they were able to enable the feature. It's working like a charm!

They should have this enabled for all organizations. Manually assigning the group policies is not practical, even for SMBs.

This thread is a life saver. Thank you very much for sharing!

Every now and then I try to encourage Meraki to release it as an Early Access feature that can be enabled via the dashboard.