Anyconnect vpn user identity in meraki

NssAnderson
Comes here often

Anyconnect vpn user identity in meraki

Users that connect to Anyconnect vpn cant be identified in Meraki, it only shows the word email as the connected user. We are using DUO and Azure AD with Cisco Anyconnect for MFA, is there a setting I need to change, so the users email address shows as the user connnected?

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using SAML authentication?  If so, the username should appear in the "User" column.

 

Are you running a current stable of better firmware on your MX?  If not, trying upgrading that.

NssAnderson
Comes here often

yes, we are using SAML authentication, with DUO and Azure AD for MFA.  The User column just displays the word email.  One thing I noticed, only one Anyconnect vpn  user will show connected in network- wide clients, unless I search for the anyconnect ip address that was assigned, I can see the ip addresses assigned in the event log. Also, each Anyconnect connection shows the same description, which looks like a MAC address. and in the MAC address column, it shows N?A (Anyconnect VPN), or if they are connected to the client vpn, it shows N?S (Client VPN)

We have the firmware version MX 18.107.5

PhilipDAth
Kind of a big deal
Kind of a big deal

On the Security & SD-WAN/Address & VLANS page - have you got "Unique client identifier" enabled?

 

PhilipDAth_0-1715283726689.png

 

If so, there is a bug at the moment preventing the display of client VPN connections correctly.  If this is your case, could you please open up a support case and get linked to the existing bug.  The more people linking to the bug the faster it will get fixed.

NssAnderson
Comes here often

it is enabled, but I thought maybe it had something to do with the attributes.  This is what shows in Entra.microsoft.com DUO SSO | SAML-based login , under the attriutes & Claims

 

Screenshot 2024-05-09 155157.png

PhilipDAth
Kind of a big deal
Kind of a big deal

This is what I use.

 

PhilipDAth_0-1715284943360.png

 

You have both "email" and "Email".  Mixing case like that is a bit risky.  Delete the attribute called "Email" and it will hopefully start working.

 

You wont need the "vpnpolicy" attribute that I have listed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels