Hi Everyone, hoping somebody has had experience with this. I am working on a VPN deployment with MX250 and Anyconnect. Everything is working great, I even got MFA to work with AzureAD via NPS. The problem I have is that users are not realizing they are supposed to look at their phone for the Microsoft Authenticator push. Meraki with Anyconnect doesn't support an interactive prompt for 2FA, but I can do a push via MFA extension on the RADIUS server. The push works and everything works when I test it but I want to pop a message for the user at some point during the process.
I explored a prompt for MFA but it isn't supported, so I am researching the "showprelogon message" attribute of the anyconnect profile. I'm having trouble finding useful documentation. In the anyconnect XML you can see this section
I want to make that part "True" and populate a message (basically telling the user to enter creds then expect a microsoft authenticator push), but I'm not sure where to put the message or the XML syntax required to define the message string. Anyone have any examples, or am I barking up the wrong tree here? I was thinking maybe this might be an ASA only thing where the message is defined on an ASA group policy but I'm not sure.
Probably not of much help here as my Anyconnect knowledge is very limited but it's definitely possible.
My previous company had something similar.
Looking at the XML schema, I don't see anywhere to insert a message via XML directly.
However, the description indicates it should be editable in the message catalog.
+ This control enables an administrator to have a one time message
+ displayed prior to a users first connection attempt. As an example,
+ the message could be used to remind a user to insert their smart
+ card into it's reader.
+ The message to be used with this control is localizable and can be
+ found in the AnyConnect message catalog.
+ (default: "This is a pre-connect reminder message.")
That method would be painful. You would have to create an AnyConnect transform for the installer (an additional MSI). You'll pretty much need to be a developer to have the right tools to be able to do this.
Still not available on the MX Anyconnect. I was looking for a way to modify the MFA prompt window, which looks identical to the regular prompt window, except it says "Login error." instead of "Login failed.". Unfortunately, this would require a transform file or something.