Hi,
I'm stuck and I don't know if my configuration is wrong or if this is just a limitation of how the interaction between Radius/Meraki/Anyconnect works at the moment.
Currently I have my old Cisco ASA5500 series Firewall set up, with Anyconnect using DAP profiles and Multifactor Authentication (Entrust) running on a Radius server. It works perfect and is easy to use.
But my Firewalls are getting old and we have decided to move on and have chosen the Meraki as our new platform.
So far so good. I got Anyconnect up and running with my Radius server, and I can filter the logins with which group a user is a member of (from the AD) and then throw that back to the Meraki, so I make sure the right "Group Policy" is deployed (almost like DAP).
The problem start, when I introduce my "Entrust" solution, which is our Multifactor, running as a piece of software on the Radius server. The setup is exactly the same as when it runs with the ASA, but when I try to log in, the authentication prompt tells me "Login failed." after I have typed in my user credentials. But what really happens behind the scene is, the username and password was validated successful and now the Anyconnect client waits for the "Challenge/Response". If I then type in the OTP received (Text message), Anyconnect will tell me that "You have successfully connected to client VPN".
To me it looks like the Anyconnect and Meraki are having some issues doing the "Challenge/Response" part, which works fine on the ASA. Same configuration on the NPS more or less.
I've been in contact with Entrust, which ran through the logs and everything seems to be right on their end. It sees the Radius authentication, it then fires the Challenge/Response where I receive the text message and finally it accepts the response and verification is successful.
Do any of you have some similar setup, or perhaps know if this is a limitation of how Anyconnect is working on Meraki as if now?
Thank you.