recently I had the need to configure Meraki AnyConnect for a prof-of-concept project and I ran into some merakian issues. So, this post is meant to help others if they encounter the same problems.
Let's start with the requirements:
The main requirement was that users should authenticate with SAML, so that we can leverage 2FA. However, our SAML IdP is on-prem Active Directory Federation Services.
The problem:
Meraki does not have any specific guide on how to configure the SAML Authentication with ADFS. 👎
I went ahead and asked my ADFS team to configure the IdP as close as possible to what was described in the guide for Azure AD SAML configuration. However, this did not work properly. 😢
The user was prompted with the Authentication window to enter the username, password and the OTP, but then AnyConnect client returned some errors🤬:
I did not know why it wasn't working, because I have no access😤 to our ADFS environment. According to the AnyConnect troubleshooting guide and the error from Event log - it said to contact Meraki support, therefore I decided to engage Meraki support 🫡.
After few ping-pongs 😴 with the support, I was very "surprised" 🤨 to hear that ADFS is not supported as Identity provider for AnyConnect. This was the message from development team which was relayed by the support engineer to me. But it was just another non-sense🖕 from Meraki guys, since the ADFS or Azure AD would both use SAML 2.0 SSO which, by the way, the Meraki documentation says it is supported.
I've decided not to rely on support anymore and go forward with my own testing 🥸💪. I spun up my own AD + ADFS Lab environment and figured out settings
For this tutorial we will asume the network dynamic DNS is your-network-name.dynamic-m.com, however, for a production environment a custom DNS is recommended.
In the Meraki Anyconnect setting we have to configure the following:
1. Upload ADFS Metadata XML file.
2. Configure the AnyConnect server URL: this is basically the network Hostname. You should add the port at the end, if you're not using port 443 for AnyConnect.
This is all that has to be configured in the Dashboard. 🤪
The next part is to configure a new Relying Party trust on ADFS as following: (only significant settings will be shown )
The Claims should be configured as following:
This are the basic settings that should be configured for the authentication to work. All other settings are either default or according to your needs.🙃
Keep in mind, Meraki does not check any ADFS claim in order to allow or deny access, therefore if one has the need to only allow a set of users based on AD Security Group, this should be configured on ADFS side.
Hopefully, Meraki will put up a nicer guide on how to configure the AnyConnect SAML authentication with ADFS 🤞😈.
//
//
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_14f606a1d0c67b","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_14f606a1d0c67b_0","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_14f606a1d0c67b_1","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_14f606a1d0c67b_2","feedbackSelector":".InfoMessage"});
LITHIUM.AutoComplete({"options":{"autosuggestionAvailableInstructionText":"Auto-suggestions available. Use Up and Down arrow keys to navigate.","triggerTextLength":4,"autocompleteInstructionsSelector":"#autocompleteInstructionsText_14f606998ae6b5","updateInputOnSelect":true,"loadingText":"Searching...","emptyText":"No Matches","successText":"Results:","defaultText":"Enter a search word","autosuggestionUnavailableInstructionText":"No suggestions available","disabled":false,"footerContent":[{"scripts":"\n\n;(function($){LITHIUM.Link=function(params){var $doc=$(document);function handler(event){var $link=$(this);var token=$link.data('lia-action-token');if($link.data('lia-ajax')!==true&&token!==undefined){if(event.isPropagationStopped()===false&&event.isImmediatePropagationStopped()===false&&event.isDefaultPrevented()===false){event.stop();var $form=$('