Meraki

harmankardon · ‎May 29 2024

Hi all,

Looking to find out if there is anything new in the art of per-user access control for AnyConnect VPN, i.e. user groups or multiple IP pools etc... when using AnyConnect and Azure AD SAML auth.

In short, I'd like to apply a specific set of L3 firewall rules to some but not all AnyConnect users.

I know about the group policy method in which you wait till the user connects, find them in the Clients list and then apply the policy, but that is tedious and I believe has to be re-done if they age-out of the client list.

I also know there is a way of doing this using the Filter-Id attribute if you are using RADIUS auth, but nothing like that for SAML auth as far as I can tell.

jimmyt234 · ‎Jun 4 2024

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

View solution in original post

alemabrahao · ‎Jun 3 2024

The only way is to use the filter-ID via Radius.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jimmyt234 · ‎Jun 4 2024

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

harmankardon · ‎Jun 10 2024

Interesting, this is the first I've heard of this, thanks for the heads up. Have you been using this beta feature and what are your thoughts on it?

jimmyt234 · ‎Jun 10 2024

Unfortunately I never got as far as trying it!

Meraki

Community

Multiple user groups or IP pools for AnyConnect using Azure AD SAML

Multiple user groups or IP pools for AnyConnect using Azure AD SAML