Multiple user groups or IP pools for AnyConnect using Azure AD SAML

Solved
harmankardon
Building a reputation

Multiple user groups or IP pools for AnyConnect using Azure AD SAML

Hi all,

 

Looking to find out if there is anything new in the art of per-user access control for AnyConnect VPN, i.e. user groups or multiple IP pools etc... when using AnyConnect and Azure AD SAML auth.

 

In short, I'd like to apply a specific set of L3 firewall rules to some but not all AnyConnect users.

 

I know about the group policy method in which you wait till the user connects, find them in the Clients list and then apply the policy, but that is tedious and I believe has to be re-done if they age-out of the client list.

 

I also know there is a way of doing this using the Filter-Id attribute if you are using RADIUS auth, but nothing like that for SAML auth as far as I can tell.

1 Accepted Solution
jimmyt234
A model citizen

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal

The only way is to use the filter-ID via Radius.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jimmyt234
A model citizen

There is a private beta for Azure SAML group policy matching based on responses from the IdP - email meraki-anyconnect-beta@cisco.com to request they enable the feature on your MX.

harmankardon
Building a reputation

Interesting, this is the first I've heard of this, thanks for the heads up. Have you been using this beta feature and what are your thoughts on it?

jimmyt234
A model citizen

Unfortunately I never got as far as trying it!

Get notified when there are additional replies to this discussion.