Does anyone know of a way to assign a group policy to a VPN Session via SAML Authentication?
With radius Authentication you can pass back an attribute that would put the VPN Session into a Group Policy.
Is this possible with SAML Authentication as well?
@Ruben2 : check this out
https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication
You can't do it ... yet.
Is this still the case?
It is still the case.
It is still a work in progress.
".... yet" ... have you heard anything about this being talked about ? 🙂
Alas it is still a work in progress.
Do you know if an early access release is planned?
I have asked this myself. I don't think there is much motivation to do this at the moment.
have anyone noticed that this (Group Policy) does not even work statically with anyconnect and SAML ?
I just tested with a customer, and the static Group policy in the config (at the very bottom of the page) does nothing.
It works fine in non-SAML ... how strange.
@PhilipDAth Hey Philip, you seemed pretty helpful wanted to ask you about this topic. I am trying to do Cisco AnyConnect w/ SAML authentication with Microsoft Azure.. do you know if this is still a limitation where group policy cannot be applied if SAML is being used?
And if it's not possible, is there any workaround for it? I was looking at Azure, and their conditional access policies don't support time-based restrictions.. which is what I'm trying to implement in group policy.
Our company has a requirement where VPN access has to be restricted from 8am-5pm.
>do you know if this is still a limitation where group policy cannot be applied if SAML is being used?
It is being worked on, but is not available today.
>Our company has a requirement where VPN access has to be restricted from 8am-5pm.
I haven't tried this - but try configuring the default AnyConnect group policy and put a schedule in there.
You might need to do something like configure the firewall rules to block everything, and then use the schedule to allow access.
It baffles me for how long SAML is already supported for AnyConnect, but group policy support has been missing ever since. It's just not a viable authentication mechanism if you would like to design separate access policies in Meraki dashboard. Hopefully the team at Secure Client puts this somewhere at the top of their list.
We're now headed in a different direction. Going with Fortigate for SSLVPN w/ SAML Authentication to O365. Without rules for vpn traffic, we can't continue to use Meraki.
We are waiting for this very important function too and hope that meraki will implement this soon!
Still eagerly awaiting this as well. Support for SAML assertion attributes, which can be used to make DAP policy selections, has been added in ASA 9.17 (almost 2 years ago!), but still no news on Meraki side. 😞
This is an essential function we are missing. Come on Meraki team!
This has actually forced us to move on to a different firewall, that supports basic enterprise features like this.
Our company is also in desperate need for this to function. We have this working through ASA but that is the only function of the ASA at the moment since Meraki still doesn't support SAML Groups policies.
Want to raise attention to this issue once more. There is still a need for this functionality to be implemented, so hoping Meraki development team finally takes notice. Authentication & Control methods need to be revamped to be on par with other industry leaders.
If you send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy", then they'll turn it on for you.
Once enabled you'll see this:
Hello PhilipDAth,
Thank you for the information. It's good to know that Meraki is working on this feature and that we can use it in beta!
Do you know if we can define multiple group policies for different SAML groups?
Oh wow, this would be handy no longer requiring Radius to get this functionality.
I don't know anything of SAML itself.
How can you map Entra ID groups to group policies then?
To answer @znet and @GIdenJoe , if you are using Entra ID you can map Entra groups to Meraki group policies. There are several ways of doing it. Basically you pass whatever Meraki group policy you want applied to the user in the SAML attribute (called "vpnfilter" in my example - but you can call it anything you like).
Basically you can say if you are a member of "this" list of groups, apply this policy ("VPN-Humans" in this example). You can keep adding more and more criteria and specifying different Meraki group policies to apply.
>would be handy no longer requiring Radius to get this functionality
One of the nice things is that it doesn't require any compute on-premise to be working. You can have your whole VMWare farm down, you can have all your servers wiped out by CrowdStrike - and you can still VPN in like normal.
Oh great. So with this new feature you reference in Meraki dashboard the name of the attribute you have added to the Entra ID users. In this case this is vpnfilter.
And then per group you can define the value inside that attribute to match the group policy name you want applied in dashboard?
Correct.
This is a great feature! I was able to add the attribute in the "Attributes & Claims" area of the Entra ID Enterprise App, but cannot find where to reference the attribute in the Meraki Dashboard. I'm trying to use this config to dynamically assign a group policy for the Cisco VPN client / SAML.
Any hint on how to accomplish this in the Meraki client vpn config?
Send an email to meraki-anyconnect-beta@cisco.com with a link to your org dashboard and ask them to enable "SAML AnyConnect Group Policy". Then they'll turn it on for you.
I tried writing that email last week no response unfortunately 😕
Did anyone else had any luck ?
I have also managed to get support to turn it on before - but many of them don't know how yet. You need to ask for "AnyConnect SAML Group Policy" to be enabled.
I asked support, and they enabled it for me 🙂
Now ... the big question, where to find documentation, because even though you have provided a screenshot from Azure, that really does not tell me, a non-Azure speaking person, much 🙂
There is more than one way to do this. Start at https://entra.microsoft.com/, go into Applicatoins/Enterprise Applications/<select your AnyConnect app>/Single Sign On, and edit (2) Attributes & Claims.
Then click "Add new claim". For the name enter "vpnpolicy". Expand "Claim Conditions". Set "User Type" to "Members". For "Scoped Group" select an existing Entra ID group. For the "Source" put "Attribute".
The attribute field is a down down list - but that is just a guide. Instead just type in the Meraki group policy that you want to apply.
Add as many claim conditions as required to match Entra ID groups to Meraki group policies.
I prefix my group policies that are used for VPNs with VPN- but you can use whatever naming convention you want.
On the Meraki side, make sure you put the same claim name in the AnyConnect config, in this case, vpnpolicy.
In your example, Im a little confused how "vpnfilter" is used ... your claimname (in the sceenshots), is "vpnpolicy" ? .. so would that not be the correct config ?
I know its just a screenshot thing .. but just to be sure.
Buggar. Change vpnfilter to vpnpolicy.
Do you know if this can also be done with Duo? If so, I'll also try to activate it.
It is much easier doing it with Duo. Define "Role Attributes" so it looks like this:
"VPN-Humans" is the Meraki group policy to apply.
This looks so good; I wish I had this from day one of SAML ...
I ended up calling Meraki's support and they were able to enable the feature. It's working like a charm!
They should have this enabled for all organizations. Manually assigning the group policies is not practical, even for SMBs.
This thread is a life saver. Thank you very much for sharing!
Every now and then I try to encourage Meraki to release it as an Early Access feature that can be enabled via the dashboard.
Dear @PhilipDAth
any new about early access for this features?
is something that we are looking forward.
thank you
While it's not possible to activate by yourselves it is possible to get it. We are using it now and working as it should.
Just create a support ticket in your dashboard and ask to enable Anyconnect SAML group policy.
I have not heard anything about it being made available via the Early Access program.
Thank you all for this information. We are changing from the Meraki VPN solution to anyconnect and we use group policies.
I have just emailed meraki to enable it for us so i hope they do it soon.
Thank you @PhilipDAth for that guide. 🙂
What is an example scenario to test this implementation?