Azure AD + Duo + Meraki Anyconnect VPN

Solved
WarrenG
Getting noticed

Azure AD + Duo + Meraki Anyconnect VPN

We are slowly getting rid of any on prem servers and have been migrating our clients to log into their computers with their Azure AD credentials. Many of these clients do still have a need for VPN access to the office, and of course MFA to keep that all secure.

 

We would like to be able to set users up with Meraki Anyconnect VPN and have users use their Azure AD username to authenticate to the VPN, while also securing the connection with Duo MFA. Is this possible to do?

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Also, check It:

 

https://community.duo.com/t/meraki-vpn-azure/11093

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal

Check this article:

 

 

Duo Two-Factor Authentication for Meraki Client VPN

 

https://duo.com/docs/meraki-radius

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
WarrenG
Getting noticed

Hello alemabrahao,

 

Thanks for the link. So if we are getting rid of all the servers, then how would we run the Duo authentication proxy? This is exactly the kind of hurdle we are trying to find a solution for.

 

Thanks.

alemabrahao
Kind of a big deal
Kind of a big deal

Maybe It can help:

 

https://duo.com/docs/azure-ca

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Also, check It:

 

https://community.duo.com/t/meraki-vpn-azure/11093

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
WarrenG
Getting noticed

Thanks, I was able to figure out a solution using the links you provided. We decided to use Microsoft MFA instead of Duo MFA for this, but otherwise we got it working. Used the SAML based setup to authenticate the AnyConnect VPN connections via Azure AD. From there we used a conditional access policy to require MFA. Works like a champ!

Vik2022
New here

Hi WarrenG, I am setting up the same for one of my clients. Did you need to Azure P1 or P1 plan upgrades. Any links that helped you with the conguration would be great. 

WarrenG
Getting noticed

You don't need any particular license to be able to authenticate using SAML to Azure AD. However, to enable a conditional access policy to require MFA, you do need at least an Azure AD P1 license. Our users get that as part of the M365 Business Premium, so we did not need to purchase that separately. The link below helped me set up the SAML authentication part:

 

AnyConnect Azure AD SAML Configuration - Cisco Meraki

 

Then the conditional access policy to require MFA is also pretty straight forward once you have the license to enable it. In Azure AD, when you're inside the Cisco AnyConnect application that you configured in the previous step, you can click on the Conditional Access tab and it will then create a new policy that is limited in scope to the AnyConnect application only. Add your users and your conditions and you should be ready to test it out.

Vik2022
New here

Thanks WarrenG!

 

Did you have to contact cisco to enable SAML or did it yoursef?

 

 

WarrenG
Getting noticed

Yep, I had to contact Meraki support to enable the SAML for Anyconnect feature. Not sure why it isn't just enabled, but that is a step I had to do too.

AmyReyes
Community Manager
Community Manager

Hey @WarrenG, yup this should be possible using the docs in the Duo Community answer that @alemabrahao linked to! Both the Meraki Support and Duo Support teams should be able to assist you with troubleshooting if you run into any issues getting this set up.

 

You'll want to use Duo Single Sign-On for Generic SAML integrations. You will have to ask Meraki Support to enable SAML authentication for AnyConnect for you. Once that is done, you should be able to follow the instructions for how to set up authentication with Azure AD using SAML for AnyConnect VPN. Hope that helps!

WarrenG
Getting noticed

Thanks Amy, @alemabrahao's links did help point me in the right direction. Thanks for your help too.

KaylanSGray
New here

I got this working following your links - the instructions are long/detailed but easy to follow. Thanks for the resources!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels