AnyConnect SAML authentication

jcoones
Here to help

AnyConnect SAML authentication

Hello all,

 

Has anyone been able to get SAML authentication to work with AnyConnect. I have followed the setup from https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication but whenever I try to connect via the Mobility Client, I get a HTTP 500 error in the AnyConnect Login window.

 

I know this is a new feature so I just wanted to see if anyone has been able to get it working. Maybe there is a configuration piece missing from the documentation.

 

Thanks

28 REPLIES 28
PhilipDAth
Kind of a big deal
Kind of a big deal

I've deployed it at maybe half a dozen clients, mostly against Azure AD and a little bit against Cisco Duo Central.

 

Works great.

jcoones
Here to help

I am using Azure AD also. I have it setup like the documentation states in Enterprise Applications. Then I set it up in the AnyConnect settings on the Dashboard. Followed the documentation to a T, but still can't get the login page to load. Did you have to do anything beyond the documentation to get it to work?

PhilipDAth
Kind of a big deal
Kind of a big deal

Hmm, I think the documentation is correct.  I've done quite a bit of work with SAML, so I didn't really need to follow the instructions too closely.  I used them as a rough guide.

 

This is what the main bit of my Azure config looks like:

 

PhilipDAth_0-1642624826970.png

 

I had a similar issue, when I wasn't using the default port 443.

 

Once I set it up with the default port it all worked. I went back in changed it to the port I wanted and modified the port number in three places to make it work.

 

bjohndoe_0-1654786839294.pngbjohndoe_1-1654786928300.png

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using the default port of 443 for AnyConnect on the MX (and I assume you aren't trying to NAT that same port through to anything internally)?

PhilipDAth
Kind of a big deal
Kind of a big deal

This is my Meraki side:

 

PhilipDAth_1-1642625061479.png

 

Hello PhilipDAth,

 

I am also trying to setup SAML to my AnyConnect vpn client.  My problem is that when I go to the AnyConnect page, I don't even have the SAML option under Authentication and Access.  I only have RADIUS, Meraki Cloud Authentication and Active Directory.  I would like to use SAML with Azure AD.  Have you seen this issue before?  Any help would be greatly appreciated.

 

Thanks

Kit

What version is your firmware? 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are already running 16.x or better, open a support case and ask them to turn it on for you.

Oh so this is something Meraki has to turn on from their end?  All my MXs are on 16.15.  This gives me hope.

 

Thank you

Kit

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't recall clearly now - but I'm going to say yes since you don't see the option.

 

Ask them to turn on AnyConnect SAML.

Thanks.  I'll call Meraki today.

Hi PhilipDAth,

 

Just want to give you an update.  I reached out to Meraki and they turned on the feature for us same day.  Hopefully this will help others in the future.  Thanks for your help.

 

Just wondering if you can help with the next problem I am facing.  When I use AnyConnect to connect to my VPN, I can tell SSO (or SAML) is working but I am hit with the message:  "AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/saml/sp/metadata/SAML' was not found in the directory 'XXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

 

Any idea?

 

Thanks

Kit

Just want to provide an update.  I got it to work.  I make sure I have Global Admin right first this time.  Then I deleted the app and follow the process to recreate the app in AAD.  Meraki Dashboard side, I just have to upload the xml file again and it's working beautifully now.

 

This is the article I followed - https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur...

 

Again, Meraki MX firmware on 16.15.  Had to call Meraki to have them turn on the Cisco AnyConnect SAML feature and then follow the article above to setup the app and configure SAML.  Must have Global Admin right.

 

Thanks

Kit

PhilipDAth
Kind of a big deal
Kind of a big deal

The Entity ID you have specified in Azure will be wrong.

 

It should be something like:

https://xxx.dynamic-m.com/saml/sp/metadata/SAML

 

PhilipDAth_0-1647547008480.png

 

Yes, I changed it and it's working fine now.  Thanks for your help.

Ruben2
Here to help

Make sure you are on MX Version 16.15

i was on 16.13 and had this same issue and after upgrading to 16.15 it fixed it and SAML started working

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm on 16.14 at the moment.  So now you have two working releases.  I'm going to upgrade to 16.15 now.

jcoones
Here to help

My config:

 

jcoones_1-1642626285944.png

 

jcoones_2-1642626295908.png

Error

jcoones_3-1642626818869.png

 

Yup this is exactly what was happening to me.

After talking to Meraki support they said they fixed this in version 16.15.

And after i upgraded to 16.15 it started working for me

I also didnt populate the "Sign on URL:" on basic SAML Configuration. i left that blank

jcoones
Here to help

Yeah, I am on 16.13. I will try the newer firmware and see if that is the issue. Thank you all for the help.

jcoones
Here to help

Upgraded to 16.15 and now everything is working great. Thanks again for all the help.

Dudleydogg
A model citizen

I am on 17.2.1 and it acts like I never uploaded the anyconnect.xml

Perhaps you should upgrade to a current 17.5?

Dudleydogg
A model citizen

Normally I would but it stated it was Beta so was not sure.  Thanks will try this for sure

 

What port # do you have assigned in Meraki Anyconnect settings?

Dudleydogg
A model citizen

8443 and I believe I changed that in the URL link in Azure, this is mostly working for me now and I have even implemented in Prod and no one is complaining.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels