Users not receiving MFA prompt with AnyConnect

SOLVED
Dmas09
New here

Users not receiving MFA prompt with AnyConnect

Good morning,

 

We are currently in the process of adding Azure NPS MFA extension to our RADIUS servers and running into an issue with receiving 2FA prompts on end user devices.

 

Capture shows the RADIUS server is sending the 2FA prompt "Enter your Microsoft Verification Code" to the RADIUS client (the MX) but we aren't seeing it.

 

Azure MFA is set to default push notifications for test users.

 

I feel like I'm missing something simple here, any help would be greatly appreciated. Thanks.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

First tip - don't use NPS with the MFA extension.  It tends to break regularly and is hard to debug.  Second problem, it only supports push notifications for MFA.  Very restrictive.

 

Instead, authenticate AnyConnect directly against Azure AD using SAML.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

View solution in original post

5 REPLIES 5
rhbirkelund
Kind of a big deal

Have you added Meraki Anyconnect to the Conditional Access Policy?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code is provided as is. Responsibility for Code execution is solely your own.

No Conditional Access policies are configured - tenant is using Security Defaults

PhilipDAth
Kind of a big deal
Kind of a big deal

First tip - don't use NPS with the MFA extension.  It tends to break regularly and is hard to debug.  Second problem, it only supports push notifications for MFA.  Very restrictive.

 

Instead, authenticate AnyConnect directly against Azure AD using SAML.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

This is the path we are taking. I've had a time with getting the NPS extension to half way function. Thanks to everyone for the feedback!

PhilipDAth
Kind of a big deal
Kind of a big deal

ps. You'll need to open a support case and ask support to turn on SAML for AnyConnect.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels