We are slowly getting rid of any on prem servers and have been migrating our clients to log into their computers with their Azure AD credentials. Many of these clients do still have a need for VPN access to the office, and of course MFA to keep that all secure.
We would like to be able to set users up with Meraki Anyconnect VPN and have users use their Azure AD username to authenticate to the VPN, while also securing the connection with Duo MFA. Is this possible to do?
Solved! Go to Solution.
Thanks for the link. So if we are getting rid of all the servers, then how would we run the Duo authentication proxy? This is exactly the kind of hurdle we are trying to find a solution for.
Thanks, I was able to figure out a solution using the links you provided. We decided to use Microsoft MFA instead of Duo MFA for this, but otherwise we got it working. Used the SAML based setup to authenticate the AnyConnect VPN connections via Azure AD. From there we used a conditional access policy to require MFA. Works like a champ!
Hi WarrenG, I am setting up the same for one of my clients. Did you need to Azure P1 or P1 plan upgrades. Any links that helped you with the conguration would be great.
You don't need any particular license to be able to authenticate using SAML to Azure AD. However, to enable a conditional access policy to require MFA, you do need at least an Azure AD P1 license. Our users get that as part of the M365 Business Premium, so we did not need to purchase that separately. The link below helped me set up the SAML authentication part:
Then the conditional access policy to require MFA is also pretty straight forward once you have the license to enable it. In Azure AD, when you're inside the Cisco AnyConnect application that you configured in the previous step, you can click on the Conditional Access tab and it will then create a new policy that is limited in scope to the AnyConnect application only. Add your users and your conditions and you should be ready to test it out.
Yep, I had to contact Meraki support to enable the SAML for Anyconnect feature. Not sure why it isn't just enabled, but that is a step I had to do too.
Hey @WarrenG, yup this should be possible using the docs in the Duo Community answer that @alemabrahao linked to! Both the Meraki Support and Duo Support teams should be able to assist you with troubleshooting if you run into any issues getting this set up.
You'll want to use Duo Single Sign-On for Generic SAML integrations. You will have to ask Meraki Support to enable SAML authentication for AnyConnect for you. Once that is done, you should be able to follow the instructions for how to set up authentication with Azure AD using SAML for AnyConnect VPN. Hope that helps!