Meraki AnyConnect + ADFS OnPrem SAML authentication guide

RomanMD
Building a reputation

Meraki AnyConnect + ADFS OnPrem SAML authentication guide

Hi everyone,

 

recently I had the need to configure Meraki AnyConnect for a prof-of-concept project and I ran into some merakian issues. So, this post is meant to help others if they encounter the same problems.

 

Let's start with the requirements:

The main requirement was that users should authenticate with SAML, so that we can leverage 2FA. However, our SAML IdP is on-prem Active Directory Federation Services. 

 

The problem:

Meraki does not have any specific guide on how to configure the SAML Authentication with ADFS. 👎

I went ahead and asked my ADFS team to configure the IdP as close as possible to what was described in the guide for Azure AD SAML configuration. However, this did not work properly. 😢

The user was prompted with the Authentication window to enter the username, password and the OTP, but then AnyConnect client returned some errors🤬:

RomanMD_0-1663155083587.png

 

I did not know why it wasn't working, because I have no access😤 to our ADFS environment. According to the AnyConnect troubleshooting guide and the error from Event log - it said to contact Meraki support, therefore I decided to engage Meraki support 🫡. 

 

After few ping-pongs 😴 with the support, I was very "surprised" 🤨 to hear that ADFS is not supported as Identity provider for AnyConnect. This was the message from development team which was relayed by the support engineer to me. But it was just another non-sense🖕 from Meraki guys, since the ADFS or Azure AD would both use SAML 2.0 SSO which, by the way, the Meraki documentation says it is supported. 

 

RomanMD_7-1663157999605.png

 

 

I've decided not to rely on support anymore and go forward with my own testing 🥸💪. I spun up my own AD + ADFS Lab environment and figured out settings

 

Spoiler
Btw: it was piece of cake to make it work. 🫢🥳

So, here we go:

For this tutorial we will asume the network dynamic DNS is your-network-name.dynamic-m.com, however, for a production environment a custom DNS is recommended.

 

In the Meraki Anyconnect setting we have to configure the following:

1. Upload ADFS Metadata XML file.

2. Configure the AnyConnect server URL: this is basically the network Hostname. You should add the port at the end, if you're not using port 443 for AnyConnect.

 

RomanMD_3-1663156145069.jpeg

 

RomanMD_2-1663156127865.jpeg

 

This is all that has to be configured in the Dashboard. 🤪

 

The next part is to configure a new Relying Party trust on ADFS as following: (only significant settings will be shown )

 

RomanMD_4-1663156716113.jpeg

 

RomanMD_5-1663156801698.jpeg

 

The Claims should be configured as following:

RomanMD_6-1663157075691.jpeg

 

This are the basic settings that should be configured for the authentication to work. All other settings are either default or according to your needs.🙃

Keep in mind, Meraki does not check any ADFS claim in order to allow or deny access, therefore if one has the need to only allow a set of users based on AD Security Group, this should be configured on ADFS side.

 

Hopefully, Meraki will put up a nicer guide on how to configure the AnyConnect SAML authentication with ADFS 🤞😈.

 

 

 

 

 

3 Replies 3
CptnCrnch
Kind of a big deal
Kind of a big deal

Big fat thank you for taking the effort and documenting this!

PhilipDAth
Kind of a big deal
Kind of a big deal

Awesome guide!

 

ps. Join the tidal wave and get rid of ADFS.  🙂

RomanMD
Building a reputation

In a hell of an enterprise this is not easy doable. That's the long term goal, but not for the near future.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels