AnyConnect VPN SSO

Solved
Adrian4
Head in the Cloud

AnyConnect VPN SSO

Hello,

I have just configured a virtual MX in AWS as a VPN endpoint for AnyConnect using SAML SSO in Azure.

It all seems to be working nicely however, every time I connect, it asks me to enter my username. I enter it, it does the MFA and I'm in.


Annoyingly it doesn't remember my username between connections. Is there any setting anywhere so that it either remembers and auto populates the username, or just doesn't ask at all and goes straight to MFA?


Our Azure is administered by a Group level IT dept (I don't have access) - any they tell me there is nothing in the Azure app that effects this 😞

Any ideas?

Cheers.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

If you use SAML for authentication, it can be cached.  It's not actually AnyConnect caching it then but whatever Idp you are using.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

The AnyConnect does not have the capability to remember usernames between connections. This is a security measure to prevent sensitive information from being stored.

But, the AnyConnect does have an option to not cache the last username used. This can be found under the RestrictPreferenceCaching setting in the AnyConnectLocalPolicy.xml file.


AnyConnect Connection Profile - Clear Username - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

that sounds a bit odd, it doesnt have the ability to remember usernames but you can set an option to stop it remembering usernames?

The discussion you linked seem'd to imply that it can cache user names....

Adrian4_0-1705336961420.png


having said that - the username prompt very much looks like a Microsoft challenge rather than a Cisco generated one - I assume because of the single sign on method we are using.

 

alemabrahao
Kind of a big deal
Kind of a big deal

Here is the offcial documentation.

 

 

 

 

Supported features

Q. Is it possible to save the password credentials on AnyConnect so that it will not request authentication from the user (password storage feature)?

A. No, it is not possible to save the password credentials on AnyConnect.

 

Perhaps, there is a workaround? Maybe, but for security reasons I advise you to keep it as is.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

If you use SAML for authentication, it can be cached.  It's not actually AnyConnect caching it then but whatever Idp you are using.

Adrian4
Head in the Cloud

Ah I thought it was something like that - I asked the guys that look after Azure but they said no 😕

cheers!

AlanAtNgāTaonga
Conversationalist

Kia ora Philip

 

We've talked a bit already on this subject. Thanks very much for your helpfulness.

 

Here's where I'm at now: https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SSO-to-Entra-Azure-AD/m-p/226242

 

If you use SAML for authentication, it can be cached

 

How can I turn on the caching of credentials? It's not happening now, although the SAML connection does work fine when the user types in their credentials.

 

Thanks and regards

TEAM-ind
Getting noticed

Did you find a solution?  I'm seeing the stay signed prompt from microsoft:

 

TEAMind_0-1727962736442.png

 

But when answering yes, I still go through the enter login process with every subsequent connection. 

 

 

AlanAtNgāTaonga
Conversationalist

Hi TEAM-ind

 

> > If you use SAML for authentication, it can be cached

 

> How can I turn on the caching of credentials?

 

This is what I was told: "This is a back-end Meraki setting that you will have no visibility of and need to ask Meraki support to set."

 

That doesn't sound very promising, but that's exactly what I did, requesting that configuration change via the Meraki support channel, and now it works perfectly. Connects every time, without needing to enter credentials.

 

I hope that helps.

 

Manaakitanga!

Alan

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels