Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate Authentication for Anyconnect on MX

WC-Dalton
Comes here often
‎Jul 25 2024 5:35 AM
‎Jul 25 2024 5:35 AM

Certificate Authentication for Anyconnect on MX

Hello Meraki Community,

 

Currently our Anyconnect is setup for user authentication through our NPS RADIUS servers with Duo for 2FA. I want to lock it down so only domain devices can authenticate, so I believe certificate auth would be the best for this. I feel as if we tried every option and keep getting the error " Certificate Validation Failure " when connecting via Secure client. Has anybody successfully set this up? I would love some insight on the proper steps. 

Labels:
0 Kudos
Subscribe
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 25 2024 2:26 PM
‎Jul 25 2024 2:26 PM

Change to using SAML authentication directly against Duo.

https://duo.com/docs/sso-meraki-secure-client 

 

Then configure a Duo policy that requires Device Trust.  Tell it to trust all machines that are a member of your AD.

https://duo.com/docs/trusted-endpoints-adds

 

Roll out Duo Desktop to your machines.

https://duo.com/docs/duo-desktop

 

 

This is a far superior option to using RADIUS and NPS.

Subscribe
In response to PhilipDAth
WC-Dalton
Comes here often
‎Jul 26 2024 4:46 AM
‎Jul 26 2024 4:46 AM

Hello Phillip,

 

Thanks for the response but how is this a far superior option? 

0 Kudos
Subscribe
In response to WC-Dalton
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 26 2024 6:04 PM
‎Jul 26 2024 6:04 PM

It uses the Duo native SAML interface for the MFA. You can use push, verified push, TXT, phone call, FIDO2, Windows Hello, etc.  Anything you want to allow in your policy.

 

It allows Duo trust policies to be used.  Depending on your plan, you have have it check if antivirus is running, is the machine authorised, is it a member of AD or Intune, etc.

 

You can enable features Duo like inline password-reset for people's who password has expired.  This whole class of calls tot he help desk can be eliminated.

 

You can use actuall SSO - so once logged in via Duo, the user is automatically logged into every other app using Duo.

Subscribe
In response to PhilipDAth
WC-Dalton
Comes here often
‎Jul 29 2024 4:13 AM
‎Jul 29 2024 4:13 AM

Phill,

 

I appreciate your response. The NPS server needs to stay in place since its handling the group policy within Meraki via Filter-ID with the MX. Can I keep my current setup in place and just implement Duo desktop to check for AD membership? 

0 Kudos
Subscribe
In response to WC-Dalton
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 29 2024 4:22 AM
‎Jul 29 2024 4:22 AM

You can do the same thing by enabling SAML group policy.  With this your Idp pushes the meraki group poicy to apply.

 

PhilipDAth_0-1722252156501.png

>Can I keep my current setup in place and just implement Duo desktop to check for AD membership? 

 

No.

0 Kudos
Subscribe
In response to PhilipDAth
WC-Dalton
Comes here often
‎Jul 29 2024 4:32 AM
‎Jul 29 2024 4:32 AM

Where do you find the SAML attribute Policies ? Is that within Duo or the Meraki Dashboard? 

0 Kudos
Subscribe
In response to WC-Dalton
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 29 2024 5:51 AM
‎Jul 29 2024 5:51 AM

The above screenshot was from Meraki.  You'll need to open a support case and request AnyConnect SAML Group policies to be enabled.

 

In Duo, you tell it to present the extra attribute like below.

PhilipDAth_0-1722257434534.png

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.