Meraki

Community

Anyconnect groups with Saml authentication Azure

Obrez
Here to help
‎Sep 14 2023 1:56 PM
‎Sep 14 2023 1:56 PM

Anyconnect groups with Saml authentication Azure

Hey all,

 

I have run into a problem moving from an ASA 5525 environment to MX, specifically Anyconnect VPN.  Currently the MX is working perfectly with saml and azure, but with the ASA solution we were able to create anyconnect "apps" in azure and apply users to the groups to restrict different access.  WIth the MX, I have not found a way to do that.  We have a lot of contractors and allowing full access to our network is not something I am willing to do.  

 

Has anyone out there successfully done something like this?  I keep reading that SAML groups are in the works but I see no evidence that its coming anytime soon.

 

cheers!

 

-Josh

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 14 2023 5:28 PM
‎Sep 14 2023 5:28 PM

The Anyconnect has some limitations on MX but I think that you can achieve it using Group policies.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 15 2023 2:41 AM
‎Sep 15 2023 2:41 AM

I assume that the MX is not capable of this. Group-Policies can be applied, but I am only aware of doing this with RADIUS. And other that with the ASA, the is no secondary authorisation on the MX that can apply authorization after the SAML authentication.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Obrez
Here to help
‎Oct 13 2023 9:16 AM
‎Oct 13 2023 9:16 AM

Update here:

 

Thanks for the suggestions.  After much frustration and troubleshooting I have solved the problem by using radius and the azure MFA connector for NPS found here https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension.  I am using filter-ID in NPS to push group policy firewall rules for our contractors and other groups that need VPN access, and it seems to be working great so far.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.