AnyConnect SSO to Entra (Azure AD)

Solved
AlanAtNgāTaonga
Here to help

AnyConnect SSO to Entra (Azure AD)

Hi, I'm setting up remote worker VPN on some Windows laptops that are joined to Entra (Azure AD). We're using the AnyConnect app to connect to a MX75 'VPN server'.

 

The SAML connection is working, but I want something more like SSO. Is that possible using the AnyConnect client app?

 

Users can successfully use the AnyConnect app to connect to our MX75 using their Entra (Azure AD) credentials, but they have to type in their Azure AD username and password. Is it possible to set things up so that they don't need to type in their username? That the AnyConnect app 'gets that from the system' somehow?

 

This topic from 2018 suggests that this isn't possible. I'm hoping that feature has been added since then. https://community.cisco.com/t5/vpn/single-sign-on-with-anyconnect/td-p/3738521

 

Thanks and regards

Alan

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to open a support case, and ask them to set "Forceauthn= False" for SAML AnyConnect.

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to open a support case, and ask them to set "Forceauthn= False" for SAML AnyConnect.

Adrian4
Head in the Cloud

H Philip, is that something that needs to be added to the Azure App ?

Im not sure because I dont have access to ours and the guys at look after it have told me configuring autosign is not done at the Azure end (obviously wrong because the login prompt is a windows one - pretty sure they just fobed me off to close the ticket). Because I don't know Azure, I cant contradict them.

Could you let me know exactly where this is configured so I can tell them how to do it?

Thanks! 

jimmyt234
Head in the Cloud

This is a back-end Meraki setting that you will have no visibility of and need to ask Meraki support to set.

Adrian4
Head in the Cloud

ah brilliant, cheers

AlanAtNgāTaonga
Here to help

Hi Phil

 

That worked an absolute charm. Seems almost too good to be true! Now, if I log in to Windows with my MS365 ID, I can connect the AnyConnect VPN without any further authentication required. 

 

I'd up the kudos points by 100 if I could, but it'll only register one!

 

Thanks very much. I know where to come now if I need a Cisco consultant in New Zealand!

JamesHammy
Getting noticed

If this works then it's legendary.

 

We're about to start a pilot, and ultimate full roll-out, of the full Secure Connect (SD-WAN sites and remote VPN) and having to authenticate at every login would be a massive step back for us.

 

I've logged a ticket with Meraki support and will feedback if it works.

JamesHammy
Getting noticed

Ah, I didn't appreciate this is for MX-based VPN connectivity, as opposed to the Secure Connect-based connectivity.

 

Meraki support have replied and It's apparently not a feature within the cloud solution and there are no plans to introduce it (which is total and utter insanity, given the terrible user experience it introduces).

sgargalas
New here

Hello Alan. 

 

If i understand correct. You are using the Anyconnect to connect to your VPN Server (MX) and you do this using the cred from Entra ID? To achieve this u are using SAML if yes how you do this? do u w=have any link? A client want this and after a search i have only find that u can do this using NPS Server and more specific a agent that register your NPS to the Entra ID so the user auth from RADIUS and RADIUS will ask the Entra for the creds. This is possible using SAML? 

If u have anythink please share.

 

Best Regards.

SG

AlanAtNgāTaonga
Here to help

Kia ora SG

 

Yes, that's working very well at our site, that the AnyConnect/Meraki VPN uses the Entra user credentials and security groups and 2FA for authentication.

 

Yes, I think that uses SAML.

 

There's:

  1. configuration required on the Meraki VPN server
  2. configuration required in Entra
  3. a support request to the Cisco/Meraki support as detailed earlier in this thread

 

Regards

Alan

 

Get notified when there are additional replies to this discussion.