Meraki

Community

Azure AD + Duo + Meraki Anyconnect VPN

Solved
WarrenG
Getting noticed
‎Nov 7 2022 11:12 AM
‎Nov 7 2022 11:12 AM

Azure AD + Duo + Meraki Anyconnect VPN

We are slowly getting rid of any on prem servers and have been migrating our clients to log into their computers with their Azure AD credentials. Many of these clients do still have a need for VPN access to the office, and of course MFA to keep that all secure.

 

We would like to be able to set users up with Meraki Anyconnect VPN and have users use their Azure AD username to authenticate to the VPN, while also securing the connection with Duo MFA. Is this possible to do?

0 Kudos
1 Accepted Solution
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2022 11:47 AM
‎Nov 7 2022 11:47 AM

Also, check It:

 

https://community.duo.com/t/meraki-vpn-azure/11093

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2022 11:37 AM
‎Nov 7 2022 11:37 AM

Check this article:

 

 

Duo Two-Factor Authentication for Meraki Client VPN

 

https://duo.com/docs/meraki-radius

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
WarrenG
Getting noticed
‎Nov 7 2022 11:41 AM
‎Nov 7 2022 11:41 AM

Hello alemabrahao,

 

Thanks for the link. So if we are getting rid of all the servers, then how would we run the Duo authentication proxy? This is exactly the kind of hurdle we are trying to find a solution for.

 

Thanks.

0 Kudos
In response to WarrenG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2022 11:45 AM
‎Nov 7 2022 11:45 AM

Maybe It can help:

 

https://duo.com/docs/azure-ca

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2022 11:47 AM
‎Nov 7 2022 11:47 AM

Also, check It:

 

https://community.duo.com/t/meraki-vpn-azure/11093

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
WarrenG
Getting noticed
‎Nov 7 2022 5:40 PM
‎Nov 7 2022 5:40 PM

Thanks, I was able to figure out a solution using the links you provided. We decided to use Microsoft MFA instead of Duo MFA for this, but otherwise we got it working. Used the SAML based setup to authenticate the AnyConnect VPN connections via Azure AD. From there we used a conditional access policy to require MFA. Works like a champ!

0 Kudos
In response to WarrenG
Vik2022
New here
‎Nov 15 2022 6:47 PM
‎Nov 15 2022 6:47 PM

Hi WarrenG, I am setting up the same for one of my clients. Did you need to Azure P1 or P1 plan upgrades. Any links that helped you with the conguration would be great. 

0 Kudos
In response to Vik2022
WarrenG
Getting noticed
‎Nov 15 2022 7:06 PM
‎Nov 15 2022 7:06 PM

You don't need any particular license to be able to authenticate using SAML to Azure AD. However, to enable a conditional access policy to require MFA, you do need at least an Azure AD P1 license. Our users get that as part of the M365 Business Premium, so we did not need to purchase that separately. The link below helped me set up the SAML authentication part:

 

AnyConnect Azure AD SAML Configuration - Cisco Meraki

 

Then the conditional access policy to require MFA is also pretty straight forward once you have the license to enable it. In Azure AD, when you're inside the Cisco AnyConnect application that you configured in the previous step, you can click on the Conditional Access tab and it will then create a new policy that is limited in scope to the AnyConnect application only. Add your users and your conditions and you should be ready to test it out.

0 Kudos
In response to WarrenG
Vik2022
New here
‎Nov 16 2022 4:19 PM
‎Nov 16 2022 4:19 PM

Thanks WarrenG!

 

Did you have to contact cisco to enable SAML or did it yoursef?

 

 

0 Kudos
In response to Vik2022
WarrenG
Getting noticed
‎Nov 16 2022 4:27 PM
‎Nov 16 2022 4:27 PM

Yep, I had to contact Meraki support to enable the SAML for Anyconnect feature. Not sure why it isn't just enabled, but that is a step I had to do too.

0 Kudos
AmyReyes
Community Manager
Community Manager
‎Nov 7 2022 1:00 PM
‎Nov 7 2022 1:00 PM

Hey @WarrenG, yup this should be possible using the docs in the Duo Community answer that @alemabrahao linked to! Both the Meraki Support and Duo Support teams should be able to assist you with troubleshooting if you run into any issues getting this set up.

 

You'll want to use Duo Single Sign-On for Generic SAML integrations. You will have to ask Meraki Support to enable SAML authentication for AnyConnect for you. Once that is done, you should be able to follow the instructions for how to set up authentication with Azure AD using SAML for AnyConnect VPN. Hope that helps!

In response to AmyReyes
WarrenG
Getting noticed
‎Nov 7 2022 5:43 PM
‎Nov 7 2022 5:43 PM

Thanks Amy, @alemabrahao's links did help point me in the right direction. Thanks for your help too.

0 Kudos
In response to AmyReyes
KaylanSGray
New here
‎Mar 28 2023 11:57 PM
‎Mar 28 2023 11:57 PM

I got this working following your links - the instructions are long/detailed but easy to follow. Thanks for the resources!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.