Meraki

Community

AnyConnect VPN SSO

Solved
Adrian4
Head in the Cloud
‎Jan 15 2024 8:10 AM
‎Jan 15 2024 8:10 AM

AnyConnect VPN SSO

Hello,

I have just configured a virtual MX in AWS as a VPN endpoint for AnyConnect using SAML SSO in Azure.

It all seems to be working nicely however, every time I connect, it asks me to enter my username. I enter it, it does the MFA and I'm in.


Annoyingly it doesn't remember my username between connections. Is there any setting anywhere so that it either remembers and auto populates the username, or just doesn't ask at all and goes straight to MFA?


Our Azure is administered by a Group level IT dept (I don't have access) - any they tell me there is nothing in the Azure app that effects this 😞

Any ideas?

Cheers.

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 11:12 AM
‎Jan 15 2024 11:12 AM

If you use SAML for authentication, it can be cached.  It's not actually AnyConnect caching it then but whatever Idp you are using.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 8:14 AM
‎Jan 15 2024 8:14 AM

The AnyConnect does not have the capability to remember usernames between connections. This is a security measure to prevent sensitive information from being stored.

But, the AnyConnect does have an option to not cache the last username used. This can be found under the RestrictPreferenceCaching setting in the AnyConnectLocalPolicy.xml file.


AnyConnect Connection Profile - Clear Username - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Jan 15 2024 8:43 AM
‎Jan 15 2024 8:43 AM

that sounds a bit odd, it doesnt have the ability to remember usernames but you can set an option to stop it remembering usernames?

The discussion you linked seem'd to imply that it can cache user names....

Adrian4_0-1705336961420.png


having said that - the username prompt very much looks like a Microsoft challenge rather than a Cisco generated one - I assume because of the single sign on method we are using.

 

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 8:48 AM
‎Jan 15 2024 8:48 AM

Here is the offcial documentation.

 

 

 

 

Supported features

Q. Is it possible to save the password credentials on AnyConnect so that it will not request authentication from the user (password storage feature)?

A. No, it is not possible to save the password credentials on AnyConnect.

 

Perhaps, there is a workaround? Maybe, but for security reasons I advise you to keep it as is.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 11:12 AM
‎Jan 15 2024 11:12 AM

If you use SAML for authentication, it can be cached.  It's not actually AnyConnect caching it then but whatever Idp you are using.

In response to PhilipDAth
Adrian4
Head in the Cloud
‎Jan 16 2024 12:12 AM
‎Jan 16 2024 12:12 AM

Ah I thought it was something like that - I asked the guys that look after Azure but they said no 😕

cheers!

0 Kudos
In response to PhilipDAth
AlanAtNgāTaonga
Conversationalist
‎Feb 22 2024 3:18 PM
‎Feb 22 2024 3:18 PM

Kia ora Philip

 

We've talked a bit already on this subject. Thanks very much for your helpfulness.

 

Here's where I'm at now: https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SSO-to-Entra-Azure-AD/m-p/226242

 

If you use SAML for authentication, it can be cached

 

How can I turn on the caching of credentials? It's not happening now, although the SAML connection does work fine when the user types in their credentials.

 

Thanks and regards

In response to AlanAtNgāTaonga
TEAM-ind
Getting noticed
‎Oct 3 2024 6:40 AM
‎Oct 3 2024 6:40 AM

Did you find a solution?  I'm seeing the stay signed prompt from microsoft:

 

TEAMind_0-1727962736442.png

 

But when answering yes, I still go through the enter login process with every subsequent connection. 

 

 

0 Kudos
In response to TEAM-ind
AlanAtNgāTaonga
Conversationalist
‎Oct 3 2024 3:35 PM
‎Oct 3 2024 3:35 PM

Hi TEAM-ind

 

> > If you use SAML for authentication, it can be cached

 

> How can I turn on the caching of credentials?

 

This is what I was told: "This is a back-end Meraki setting that you will have no visibility of and need to ask Meraki support to set."

 

That doesn't sound very promising, but that's exactly what I did, requesting that configuration change via the Meraki support channel, and now it works perfectly. Connects every time, without needing to enter credentials.

 

I hope that helps.

 

Manaakitanga!

Alan

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.