AnyConnect, SAML and Certificate Authentication

SOLVED
lmorel
Getting noticed

AnyConnect, SAML and Certificate Authentication

I saw @PhilipDAth replied to another thread a few minutes ago and it might be related so I apologize in advance if I am creating a similar post here. I am playing with AnyConnect and using SAML as Authentication Type. Works well so far. 

I came across this setting about Certificate Authentication (showing as Disabled below). Would that be for when I deploy this certificate on my Windows 10 clients through GPO and Meraki checks and validate that this client is authorized to connect first then onto the SAML Azure AD authentication step? Can I use a 3rd-party certificate for this as opposed to self-signed? I found a couple of instructions for AnyConnect and SAML configuration (one simple and one detailed) off the Meraki website but I don't think this setting was explained. 

lmorel_0-1642360123715.png

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Normally when you use that you also use it with RADIUS.  You upload the root CA certificate of your internal CA server.  AnyConnect will then verify the machine has a certificate from that CA server (so the machine is authorised to connect) and then authenticates the user (verifies the user is allowed to connect).

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication#Certificate-based_...

 

I have not attempted to use it with SAML.  I don't know if that would work or not.

 

 

IMHO, "normally", if you were using SAML and you wanted to also verify the machine is authorised, you would have SAML do that.  In the case of Azure AD, you would create a conditional access policy and have it verify whatever you want (anti-malware running, patch levels, etc).  In Azure AD terms, this is known as a "Compliance Policy" (and it uses Intune).

https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started 

 

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Normally when you use that you also use it with RADIUS.  You upload the root CA certificate of your internal CA server.  AnyConnect will then verify the machine has a certificate from that CA server (so the machine is authorised to connect) and then authenticates the user (verifies the user is allowed to connect).

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication#Certificate-based_...

 

I have not attempted to use it with SAML.  I don't know if that would work or not.

 

 

IMHO, "normally", if you were using SAML and you wanted to also verify the machine is authorised, you would have SAML do that.  In the case of Azure AD, you would create a conditional access policy and have it verify whatever you want (anti-malware running, patch levels, etc).  In Azure AD terms, this is known as a "Compliance Policy" (and it uses Intune).

https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started 

 

I apologize for the long delay. Thank you @PhilipDAth  for the info! I have been using SAML and Conditional Access in Azure and require BOTH options of "Require Hybrid Azure AD joined device" and "MFA" to grant access. It works very well. 

 

Maybe I am still struggling to understand that Certificate Authentication option mentioned in my original post and what you explained earlier. Are you implying this is an option to use IF I use RADIUS only and to NOT use if I use SAML? Selecting the Enabled setting only allows to upload a "file".

 

I am not an expert on the certificate side of things but a CSR of some sort would need to be used, right? I was watching a video on YouTube about the Certificate Authentication setup for Cisco ASAs, just to get an idea of the whole concept. There is evidently information to be used to and from the ASA in order to complete the setup. And by looking at the MX interface, it looks like things are "missing" or not well explained. But now I am re-reading your post and I am guessing it's not needed (or can't be used) with SAML.

 

I used TDN in the AnyConnect profile to disconnect the client when inside the office. But that wouldn't stop the user from clicking on Connect again and still successfully connect while inside the office. So I created another Conditional Access rule to NOT grant access to an AnyConnect connection IF the user is physically located at a Trusted IP site (in the office). Works well as well as I get an Azure message telling me I cannot go past the SAML step. This should be clear enough to remind the user to stop trying. 

 

lmorel_0-1645510259137.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Cisco Duo (Cisco's SAML provider, like Azure AD but a million times better) also has something similar called "Device Trust".

https://duo.com/product/device-trust 

 

I'm still testing Duo for this use case.  It had a couple of issues to begin with.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels