Multiple user groups or IP pools for AnyConnect using Azure AD SAML

Solved
harmankardon
Building a reputation

Multiple user groups or IP pools for AnyConnect using Azure AD SAML

Hi all,

 

Looking to find out if there is anything new in the art of per-user access control for AnyConnect VPN, i.e. user groups or multiple IP pools etc... when using AnyConnect and Azure AD SAML auth.

 

In short, I'd like to apply a specific set of L3 firewall rules to some but not all AnyConnect users.

 

I know about the group policy method in which you wait till the user connects, find them in the Clients list and then apply the policy, but that is tedious and I believe has to be re-done if they age-out of the client list.

 

I also know there is a way of doing this using the Filter-Id attribute if you are using RADIUS auth, but nothing like that for SAML auth as far as I can tell.

1 Accepted Solution
jimmyt234
Building a reputation

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

The only way is to use the filter-ID via Radius.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jimmyt234
Building a reputation

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

harmankardon
Building a reputation

Interesting, this is the first I've heard of this, thanks for the heads up. Have you been using this beta feature and what are your thoughts on it?

jimmyt234
Building a reputation

Unfortunately I never got as far as trying it!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels