Meraki

Community

Cisco Secure Client (AnyConnect) VPN, and authentication using Microsoft Entra & MFA using DUO

NssAnderson
Comes here often
‎Oct 15 2024 8:21 AM
‎Oct 15 2024 8:21 AM

Cisco Secure Client (AnyConnect) VPN, and authentication using Microsoft Entra & MFA using DUO

We have two Cisco Meraki networks under the same organization, each in a different physical location: one is our main HQ, and the other is our Corporate failover site. For remote access, we use Cisco Secure Client (AnyConnect) VPN, and authentication is handled through Microsoft Entra (Azure AD), with multi-factor authentication (MFA) via Duo.

 

We're now working on configuring the AnyConnect VPN for the Corporate failover site to use the same authentication method—Microsoft Entra with Duo MFA. However, we're running into an issue in Duo: it only allows adding one SAML identity provider. When I attempt to create a separate Enterprise Application in Microsoft Entra for the failover site, it asks for the Identifier (Entity ID) from the Duo SAML configuration.

 

The problem is that the Entity ID needs to be unique across all Enterprise Applications, but it's already being used in the application for our main HQ Cisco AnyConnect setup.

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 16 2024 3:24 AM
‎Oct 16 2024 3:24 AM

I'm confused by your description.

 

Typically when you use AnyConnect SAML with Duo to only point it at Duo.  In this case you would create two applications in Duo, one for each MX.

 

Typically when you use AnyConnect SAML with Entra ID you point it at Entra ID.  You might use a conditional access policy to invoke Duo.  In this case you would create two applications in Entra ID, one for each MX.

 

I guess you could be using Duo federated to Entra ID - but then you would normally only be configuring Cisco AnyConnect in Duo, and haze zero config in Entra ID.

 

No matter what, you will always need two applications configured, one for each MX.

0 Kudos
PaulF
Meraki Employee
Meraki Employee
‎Oct 16 2024 5:32 AM
‎Oct 16 2024 5:32 AM

Yes. A problem in azure. A painful problem. A problem that I've not solved. The *only* way around this is:

 

Screenshot 2024-10-16 at 16.28.45.png

 

You create a single SAML application, and then have each of your Meraki instances within it. The blacked out area of the image above are unique URIs within Meraki

 

What I *think* you're looking for is for Meraki to support unique Entity IDs. I'll feed this back, but can't make any promises

NssAnderson
Comes here often
‎Oct 17 2024 6:08 AM
‎Oct 17 2024 6:08 AM

Thank you Paul and Phil

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.