Meraki

AlanAtNgāTaonga · ‎Feb 22 2024

Hi, I'm setting up remote worker VPN on some Windows laptops that are joined to Entra (Azure AD). We're using the AnyConnect app to connect to a MX75 'VPN server'.

The SAML connection is working, but I want something more like SSO. Is that possible using the AnyConnect client app?

Users can successfully use the AnyConnect app to connect to our MX75 using their Entra (Azure AD) credentials, but they have to type in their Azure AD username and password. Is it possible to set things up so that they don't need to type in their username? That the AnyConnect app 'gets that from the system' somehow?

This topic from 2018 suggests that this isn't possible. I'm hoping that feature has been added since then. https://community.cisco.com/t5/vpn/single-sign-on-with-anyconnect/td-p/3738521

Thanks and regards

Alan

PhilipDAth · ‎Feb 22 2024

You need to open a support case, and ask them to set "Forceauthn= False" for SAML AnyConnect.

View solution in original post

PhilipDAth · ‎Feb 22 2024

You need to open a support case, and ask them to set "Forceauthn= False" for SAML AnyConnect.

Adrian4 · ‎Feb 23 2024

H Philip, is that something that needs to be added to the Azure App ?

Im not sure because I dont have access to ours and the guys at look after it have told me configuring autosign is not done at the Azure end (obviously wrong because the login prompt is a windows one - pretty sure they just fobed me off to close the ticket). Because I don't know Azure, I cant contradict them.

Could you let me know exactly where this is configured so I can tell them how to do it?

Thanks!

jimmyt234 · ‎Feb 23 2024

This is a back-end Meraki setting that you will have no visibility of and need to ask Meraki support to set.

Adrian4 · ‎Feb 23 2024

ah brilliant, cheers

AlanAtNgāTaonga · ‎Feb 25 2024

Hi Phil

That worked an absolute charm. Seems almost too good to be true! Now, if I log in to Windows with my MS365 ID, I can connect the AnyConnect VPN without any further authentication required.

I'd up the kudos points by 100 if I could, but it'll only register one!

Thanks very much. I know where to come now if I need a Cisco consultant in New Zealand!

JamesHammy · ‎Apr 30 2025

If this works then it's legendary.

We're about to start a pilot, and ultimate full roll-out, of the full Secure Connect (SD-WAN sites and remote VPN) and having to authenticate at every login would be a massive step back for us.

I've logged a ticket with Meraki support and will feedback if it works.

JamesHammy · ‎Apr 30 2025

Ah, I didn't appreciate this is for MX-based VPN connectivity, as opposed to the Secure Connect-based connectivity.

Meraki support have replied and It's apparently not a feature within the cloud solution and there are no plans to introduce it (which is total and utter insanity, given the terrible user experience it introduces).

sgargalas · ‎Jul 14 2025

Hello Alan.

If i understand correct. You are using the Anyconnect to connect to your VPN Server (MX) and you do this using the cred from Entra ID? To achieve this u are using SAML if yes how you do this? do u w=have any link? A client want this and after a search i have only find that u can do this using NPS Server and more specific a agent that register your NPS to the Entra ID so the user auth from RADIUS and RADIUS will ask the Entra for the creds. This is possible using SAML?

If u have anythink please share.

Best Regards.

SG

AlanAtNgāTaonga · ‎Jul 14 2025

Kia ora SG

Yes, that's working very well at our site, that the AnyConnect/Meraki VPN uses the Entra user credentials and security groups and 2FA for authentication.

Yes, I think that uses SAML.

There's:

configuration required on the Meraki VPN server
configuration required in Entra
a support request to the Cisco/Meraki support as detailed earlier in this thread

Regards

Alan

Meraki

Community

AnyConnect SSO to Entra (Azure AD)

AnyConnect SSO to Entra (Azure AD)