Meraki

Community

Client VPN authentication in Azure Domain Services / Microsof Entra ID

NotANetworkGuy
Conversationalist
3 weeks ago
3 weeks ago

Client VPN authentication in Azure Domain Services / Microsof Entra ID

Hi;
I'm working all week to figure this out, but no success until now, help is appreciated.

Objective: set up a client VPN where the end-user can authenticate with it's Microsoft Entra ID creds.

Current Config: 

- no vMX

- Azure Domain Services serving RADIUS queries for 802.1x - Meraki is able to reach it using public IP.

 

Attempts:

    Authentication with Radius - Failure -
        Client side Message:

            "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted in the remote server"


    NPS Side Log: 

        Reason Code: 16
        Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
        Authentication Type: PAP
        Calling Station Identifier: CLIENTVPN
 
Authentication with Active Directory - Failure - 
    Can't put a public IP - not sure if there's any other workaround that setup a vMX in Azure.
 
Authentication using AnyConnect - Using Radius with PAP or AD, Same situation that above.
Authentication using AnyConnect App for Microsoft Entra ID - No longer exists.

I'm currently lost on who to workaround this with no extra expense.
Labels:
0 Kudos
4 Replies 4
Mloraditch
Kind of a big deal
2 weeks ago
2 weeks ago

If you are licensed for AnyConnect why not just use SAML?

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
NotANetworkGuy
Conversationalist
2 weeks ago
2 weeks ago

Hi;
Thanks for the interest, but I did try that venue, the only app that I was able to find was "Cisco Secure Firewall - Secure Client (formerly AnyConnect) authentication" and following the old tutorial does not work.

Also I was not able to translate Meraki configurations to this app required data:
Identifier (Entity ID):  https://*.YourCiscoServer.com/saml/sp/metadata/TGTGroup

 Reply URL (Assertion Consumer Service URL): https://YOUR_CISCO_ANYCONNECT_FQDN/+CSCOE+/SAML/SP/ACS 

0 Kudos
In response to NotANetworkGuy
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

0 Kudos
In response to PhilipDAth
NotANetworkGuy
Conversationalist
2 weeks ago
2 weeks ago

anyconnect.png

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.