Cisco Anyconnect - SAML using OneLogin for MFA

SOLVED
JRMcGee
Here to help

Cisco Anyconnect - SAML using OneLogin for MFA

We are using CISCO Anyconnect VPN client software to connect to our Meraki MX. Authentication Type is SAML using our idP provider (OneLogin) for MFA.

 

Sometimes, after a user enters their credentials in CISCO Anyconnect, it goes to a white screen box after mfa authentication. The box will stay there about a minute and will error out. The error is "CSRF token verification failed"

 

This happens randomly to different users at different times, making it hard to replicate the issue. The rest of the times, we are able to connect without an issue. 

 

Has anyone see this issue before? 

1 ACCEPTED SOLUTION

@coelmann 

 

We downgraded our firmware to 16.16.6 on our MX. Since we have done that, we have not had any users experiencing the blank box after MFA on Anyconnect. 

View solution in original post

20 REPLIES 20
Ryan_Miles
Meraki Employee

I've had one report of this, but the customer has since rolled back to 16.x so we can't troubleshoot any further. It would be great if you can open a Support case on this so they can gather some data to send up to Eng if needed.

Hi Ryan,

 

We do have a case open with Meraki. We are still troubleshooting the issue. Just wanted to know if anyone else has seen this issue. Thank you. 

👍

coelmann
Conversationalist

This happens to us all the time. We had a case open with Meraki at one point, but I just gave up. The work around we have found is to re-upload the SAML Metadata File.

 

Hi @coelmann,

 

Meraki support got back to me and instructed me to downgrade my MX to firmware 16.16.6 

My support agent told me that he has found related cases and this was the fix.

I am going to test it this weekend, hopefully all goes well.

@coelmann 

 

We downgraded our firmware to 16.16.6 on our MX. Since we have done that, we have not had any users experiencing the blank box after MFA on Anyconnect. 

coelmann
Conversationalist

Thanks @JRMcGee! We'll roll our firmware back and let you know how it goes

 

@coelmann 

 

Make sure it is 16.16.6, not 16.16

I had to get Meraki support to do it for me, as it was not an option for me. 

thank you

Hey JRM, 

 

What firmware version did you downgrade from? Did you also have issues with users being prompted for username and password, but no MFA, it would just connect automatically. 

 

Hi @ontheroadoflife 

 

It was 17.x - i cannot remember the exact version number. No, i did not have issues with users being prompted for UN and password but no MFA. What is your Authentication Type set to?

Since we upgraded one of our MXs to 17.10.2, we've been having multiple VPN issues such as the CSRF error, users being prompted for credentials with no MFA at random times. 

 

We're using SAML against Azure.

We upgraded to 17.10.2 two weeks ago and we have seen issue with AnyConnect and SAML. I've seen the white box and it hangs up for a minute and the user is able to login and also if a user selects to remain logged in and then it loops back to the email login again. We didn't have this issue on 16

Dudleydogg
A model citizen

I also have this blank box issue, but its rare the Bigger issue is Previously we could sign into the VPN disconnect and than reconnect and it would just connect again. NOW it not only prompts us each time the username field is blank. so y ou has to type in user and then select the MFA option. We noticed this a few weeks ago. I would prefer the browser cache and use that token but this feature seems to be lost, Any one else notice this behavior?

You will need to contact Meraki support and ask them to disable the "forceauthn" option (set it to false) for SAML authentication.

Pathfinder89
New here

Any updates if a 17.x or 18.x firmware upgrade will address this CSRF issue? 

WarrenG
Getting noticed

So we have a few clients with MX64 firewalls. Anyconnect functionality was not added until firmware version 17.10.2. So downgrading to 16.16.6 is not a solution for these firewalls. We also tried the beta 18.104 but the behavior is still the same (blank white windows as well as CSRF token validation errors). Seems like this feature is far from fully baked.

BobL
New here

I upgraded AnyConnect from 4.10.00093 to 4.10.06079 and that solved the problem for me.

 

Winter
Conversationalist

We found that even with the new AnyConnect client that we'd still have users get stuck after the saml login screens, typically the blank white page. To fix this create an OUTBOUND rule in Windows Defender Firewall for where ever you have \Cisco AnyConnect Secure Mobility Client\acwebhelper.exe and set it to ALLOW.

WarrenG
Getting noticed

I tried this but still get the blank white screen for one of the users

Winter
Conversationalist

WE had to add the vpnui.exe as well. However, we find that even adding both of these, sometimes it fails again after initially being successful and the rules have to be removed and re-added. Clearly something else going on here.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels