Meraki

Community

Users not receiving MFA prompt with AnyConnect

Solved
Dmas09
New here
‎Jun 8 2023 6:03 AM
‎Jun 8 2023 6:03 AM

Users not receiving MFA prompt with AnyConnect

Good morning,

 

We are currently in the process of adding Azure NPS MFA extension to our RADIUS servers and running into an issue with receiving 2FA prompts on end user devices.

 

Capture shows the RADIUS server is sending the 2FA prompt "Enter your Microsoft Verification Code" to the RADIUS client (the MX) but we aren't seeing it.

 

Azure MFA is set to default push notifications for test users.

 

I feel like I'm missing something simple here, any help would be greatly appreciated. Thanks.

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 1:50 PM
‎Jun 8 2023 1:50 PM

First tip - don't use NPS with the MFA extension.  It tends to break regularly and is hard to debug.  Second problem, it only supports push notifications for MFA.  Very restrictive.

 

Instead, authenticate AnyConnect directly against Azure AD using SAML.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

View solution in original post

5 Replies 5
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 6:30 AM
‎Jun 8 2023 6:30 AM

Have you added Meraki Anyconnect to the Conditional Access Policy?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
Dmas09
New here
‎Jun 8 2023 6:37 AM
‎Jun 8 2023 6:37 AM

No Conditional Access policies are configured - tenant is using Security Defaults

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 1:50 PM
‎Jun 8 2023 1:50 PM

First tip - don't use NPS with the MFA extension.  It tends to break regularly and is hard to debug.  Second problem, it only supports push notifications for MFA.  Very restrictive.

 

Instead, authenticate AnyConnect directly against Azure AD using SAML.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

In response to PhilipDAth
Dmas09
New here
‎Jun 8 2023 2:03 PM
‎Jun 8 2023 2:03 PM

This is the path we are taking. I've had a time with getting the NPS extension to half way function. Thanks to everyone for the feedback!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 1:51 PM
‎Jun 8 2023 1:51 PM

ps. You'll need to open a support case and ask support to turn on SAML for AnyConnect.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.