Radius challenge not supported on anyconnect

SupaStud1994
Just browsing

Radius challenge not supported on anyconnect

Why is radius challenge not supported for anyconnect client VPN? We do not have the option for using SAML authentication due to different users on different domains. I am hoping that there is some resolution to this on future implementations as this was a completely supported on ASA's. Right now we are utilizing push notifications and are known to be inherintly less secure than OTP.

 

 

5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal

The anyconnect function on the MX is a subset of the entire suite that you can find on an ASA/FTD device.  Same is true for multiple tunnel-groups.  This is stated thusly in the documentation and should be taken into account when choosing your deployment.

The OTP not being supported is rather an issue of the Microsoft NPS server which I believe you are using.

 

There is also a use case of having MX'es used as SD-WAN devices while having a fully featured FTD on a central location that can also serve as a client VPN target.

Ooof. I hate that this is accurate. We utilize the Azure MFA with NPS extension that works really well for our use case but trying to stay up to standard with MFA is challenging. We dont have a central VPN location and have multiple locations so the cost value of using a separate FTD does not fit our use case. I am wondering why the AnyConnect implementation is not as full featured as the FTD? I am trying to keep everything meraki but our company is starting to leverage fortigate and that breeds a new group of problems. The FTDs having to have a complementing server is just not a good solution for a multiple remote site company as we have the costs would completely remove that as an option.

I hear you.  I believe alas this falls under the feature request button but doubtful this will be implemented since they are more and more going full cloud.  It also took them a few years to actually implement the Anyconnect features we have so far.  It used to be only l2tp/IPsec.

According to a private beta screenshot provided by Philip there will be SAML support with group policies in the future.  And also the SASE solution has Anyconnect integration and I believe that is also fully in the SAML or Cloud idP camp without radius.

Do you know if there is an active feature request? I found that group hard to query to know if its been requested. 

SAML with group polices is a huge help though. I have more customers wanting this solution. We need the group policies (especially in radius) as this is how we secure our VPN access for vendors. Thank you for your quick responses today. Been managing meraki devices for about 7 years now and never used the forums.

For that you need to talk to a account manager or someone within Cisco Meraki.

For the group policies you could also ask if you want to be included in that private beta if you have a testing network of course or an adventurous client 😉

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels