Meraki

jcoones · ‎Jan 19 2022

Hello all,

Has anyone been able to get SAML authentication to work with AnyConnect. I have followed the setup from https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication but whenever I try to connect via the Mobility Client, I get a HTTP 500 error in the AnyConnect Login window.

I know this is a new feature so I just wanted to see if anyone has been able to get it working. Maybe there is a configuration piece missing from the documentation.

Thanks

PhilipDAth · ‎Jan 19 2022

I've deployed it at maybe half a dozen clients, mostly against Azure AD and a little bit against Cisco Duo Central.

Works great.

jcoones · ‎Jan 19 2022

I am using Azure AD also. I have it setup like the documentation states in Enterprise Applications. Then I set it up in the AnyConnect settings on the Dashboard. Followed the documentation to a T, but still can't get the login page to load. Did you have to do anything beyond the documentation to get it to work?

PhilipDAth · ‎Jan 19 2022

Hmm, I think the documentation is correct. I've done quite a bit of work with SAML, so I didn't really need to follow the instructions too closely. I used them as a rough guide.

This is what the main bit of my Azure config looks like:

bjohndoe · ‎Jun 9 2022

I had a similar issue, when I wasn't using the default port 443.

Once I set it up with the default port it all worked. I went back in changed it to the port I wanted and modified the port number in three places to make it work.

PhilipDAth · ‎Jan 19 2022

Are you using the default port of 443 for AnyConnect on the MX (and I assume you aren't trying to NAT that same port through to anything internally)?

PhilipDAth · ‎Jan 19 2022

This is my Meraki side:

KitCheng · ‎Mar 15 2022

Hello PhilipDAth,

I am also trying to setup SAML to my AnyConnect vpn client. My problem is that when I go to the AnyConnect page, I don't even have the SAML option under Authentication and Access. I only have RADIUS, Meraki Cloud Authentication and Active Directory. I would like to use SAML with Azure AD. Have you seen this issue before? Any help would be greatly appreciated.

Thanks

Kit

jcoones · ‎Mar 15 2022

What version is your firmware?

PhilipDAth · ‎Mar 15 2022

If you are already running 16.x or better, open a support case and ask them to turn it on for you.

KitCheng · ‎Mar 15 2022

Oh so this is something Meraki has to turn on from their end? All my MXs are on 16.15. This gives me hope.

Thank you

Kit

PhilipDAth · ‎Mar 15 2022

I don't recall clearly now - but I'm going to say yes since you don't see the option.

Ask them to turn on AnyConnect SAML.

KitCheng · ‎Mar 16 2022

Thanks. I'll call Meraki today.

KitCheng · ‎Mar 17 2022

Hi PhilipDAth,

Just want to give you an update. I reached out to Meraki and they turned on the feature for us same day. Hopefully this will help others in the future. Thanks for your help.

Just wondering if you can help with the next problem I am facing. When I use AnyConnect to connect to my VPN, I can tell SSO (or SAML) is working but I am hit with the message: "AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/saml/sp/metadata/SAML' was not found in the directory 'XXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

Any idea?

Thanks

Kit

KitCheng · ‎Mar 17 2022

Just want to provide an update. I got it to work. I make sure I have Global Admin right first this time. Then I deleted the app and follow the process to recreate the app in AAD. Meraki Dashboard side, I just have to upload the xml file again and it's working beautifully now.

This is the article I followed - https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur...

Again, Meraki MX firmware on 16.15. Had to call Meraki to have them turn on the Cisco AnyConnect SAML feature and then follow the article above to setup the app and configure SAML. Must have Global Admin right.

Thanks

Kit

PhilipDAth · ‎Mar 17 2022

The Entity ID you have specified in Azure will be wrong.

It should be something like:

https://xxx.dynamic-m.com/saml/sp/metadata/SAML

KitCheng · ‎Mar 17 2022

Yes, I changed it and it's working fine now. Thanks for your help.

Ruben2 · ‎Jan 19 2022

Make sure you are on MX Version 16.15

i was on 16.13 and had this same issue and after upgrading to 16.15 it fixed it and SAML started working

PhilipDAth · ‎Jan 19 2022

I'm on 16.14 at the moment. So now you have two working releases. I'm going to upgrade to 16.15 now.

jcoones · ‎Jan 19 2022

My config:

Error

Ruben2 · ‎Jan 19 2022

Yup this is exactly what was happening to me.

After talking to Meraki support they said they fixed this in version 16.15.

And after i upgraded to 16.15 it started working for me

Ruben2 · ‎Jan 19 2022

I also didnt populate the "Sign on URL:" on basic SAML Configuration. i left that blank

jcoones · ‎Jan 19 2022

Yeah, I am on 16.13. I will try the newer firmware and see if that is the issue. Thank you all for the help.

jcoones · ‎Jan 20 2022

Upgraded to 16.15 and now everything is working great. Thanks again for all the help.

Dudleydogg · ‎Feb 18 2022

I am on 17.2.1 and it acts like I never uploaded the anyconnect.xml

CptnCrnch · ‎Feb 20 2022

Perhaps you should upgrade to a current 17.5?

Dudleydogg · ‎Feb 21 2022

Normally I would but it stated it was Beta so was not sure. Thanks will try this for sure

bjohndoe · ‎Jun 9 2022

What port # do you have assigned in Meraki Anyconnect settings?

Dudleydogg · ‎Jun 12 2022

8443 and I believe I changed that in the URL link in Azure, this is mostly working for me now and I have even implemented in Prod and no one is complaining.

Meraki

Community

AnyConnect SAML authentication

AnyConnect SAML authentication