Community Record
61
Posts
11
Kudos
0
Solutions
Badges
Jan 18 2025
1:33 PM
Yep, we use the two factor authentication that's built into Microsoft 365. You should have MFA enabled for all your users already, but you can also add it as specific requirement for the VPN connections via a conditional access policy that targets the VPN application that you will create in Entra.
... View more
Jan 18 2025
8:11 AM
2 Kudos
The link below should be helpful if that's the way you plan to go. It's pretty slick once you have it up and running 👍 https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration
... View more
Jan 18 2025
7:20 AM
No, we ended up going with what I think was a better option for us i.e. authenticating against Microsoft 365 user accounts instead of Meraki cloud user accounts. The benefit of this option is that we can leverage Microsoft's built in MFA as opposed to needing a separate third-party option like Duo.
... View more
May 16 2024
8:05 AM
Thank for that. Any idea what additional functionality the advanced license will cover?
... View more
May 16 2024
8:04 AM
Thanks for that - still not very intuitive on Meraki's part, but at least I think I get it now 👍
... View more
May 15 2024
7:35 PM
For the life of me I can't figure this one out. Looking to purchase an MS130-24P switch and trying to figure out what license I need to purchase to go with it. The CCW portal has two possible options, but neither of them seem to be a perfect fit: LIC-MS130-CMPT-3Y LIC-MS130-24-3Y I have no idea what the CMPT license is or why I might need it. Google seemed equally stumped by that one. The second one listed above appears to have the "24" designation but there is no "24P" option anywhere to be found, which is what I need. What gives Meraki and why is this so confusing?
... View more
Mar 13 2024
12:39 PM
2 Kudos
Thanks PhilipDAth. If the answer to my question is no, then that's what I was looking for. I know about the other options, but they are not viable for what I'm needing in this specific case.
... View more
Mar 13 2024
10:38 AM
So the answer is no then?
... View more
Mar 13 2024
10:27 AM
Is it possible to use Duo to require MFA for Meraki Cloud Authenticated users while using Meraki Client VPN? Specifically we need to use the AnyConnect option with Meraki Cloud Authenticated users, but need to be able to protect that connection further with MFA. Is this scenario possible?
... View more
Jan 19 2024
3:32 PM
Okay thanks, I will look into these options a little further. Appreciate the input on this!
... View more
Jan 19 2024
2:40 PM
This will be for multiple techs on our team, and it is intended to be a long term solution. Thanks!
... View more
Jan 19 2024
1:26 PM
So with all the power and Internet outages we've had recently due to weather, we have identified our own office Internet connection as a potential single point of failure. We have all our client's Meraki dashboard portals locked down to only be available from our own static IP address. Other portals we use are also locked down by IP address only. So we need to add some redundancy so that if our Internet connection goes down, we can still support our clients by accessing our tools from another IP address. I have looked into setting up a vMX in Azure, but it appears that you cannot assign a static IP address to it as that's a limitation on Azure side. Not sure if that's accurate or not, just what I have read. If there was a way to allow access to our client's dashboards based on FQDN then I could create a DNS record to point to my home Internet IP address, but it seems Meraki doesn't allow that?? What are some other simple options that we could implement to add this redundancy? Would prefer to stay in the Microsoft and/or Meraki family rather than add another third party solution. Any ideas?
... View more
May 9 2023
11:25 AM
1 Kudo
Has there been any progress on this in the last 5 years? We just got a new fiber connection installed for one of our clients, and they only provided a /31 static IP block. Any idea if this configuration is now supported?
... View more
Mar 30 2023
9:12 AM
I haven't been able to test/prove that this is the issue yet, but I have noticed that any clients that do have connection issues are all configured to use a non-standard SSL port number for Anyconnect. For example, they might be using 4443 instead of 443. Not sure if that non-standard SSL port number might be something that the ISP of the remote user is interrogating a little more aggressively because it's non-standard?
... View more
Mar 22 2023
7:49 AM
Thanks for this! I was banging my head trying to figure out which browser Anyconnect was using for that pop up window, thinking it was using one of the installed browsers. Great to know it's not, and which folder to clear to empty the cache. Will give this a spin here today to see if it works 👍
... View more
Mar 16 2023
10:45 PM
So we have set up AnyConnect to authenticate via SAML with Azure AD for client VPN authentication. We asked the Meraki support to turn off the force authentication option because it makes the users have to type in their full email address and password every time they connect to VPN. However with that turned off, many users are never prompted for their username, password or MFA if they are signed into Office 365 on their computers. What we would like is for the users to not be prompted for their username or password, but still get prompted for their MFA each time they connect. Is this behavior possible to enable either from the Meraki side or from the Azure AD side?
... View more
Jan 23 2023
12:55 PM
I tried this but still get the blank white screen for one of the users
... View more
Dec 22 2022
5:20 PM
Thanks Bo_Tang, this actually worked! I didn't think it would as the client VPN has it's own different subnet. But hey I'll take the W! Thanks again!
... View more
Dec 22 2022
4:43 PM
We are trying to reach a system on our internal network that will only accept connections from an internal IP address on the same subnet. Is there a way to make the Meraki firewall present a connection request from outside the network as if it's coming from an internal IP address?
... View more
Dec 16 2022
12:43 PM
So we have a few clients with MX64 firewalls. Anyconnect functionality was not added until firmware version 17.10.2. So downgrading to 16.16.6 is not a solution for these firewalls. We also tried the beta 18.104 but the behavior is still the same (blank white windows as well as CSRF token validation errors). Seems like this feature is far from fully baked.
... View more
Dec 14 2022
9:16 AM
1 Kudo
You will need to contact Meraki support and ask them to disable the "forceauthn" option (set it to false) for SAML authentication.
... View more
Nov 16 2022
4:27 PM
Yep, I had to contact Meraki support to enable the SAML for Anyconnect feature. Not sure why it isn't just enabled, but that is a step I had to do too.
... View more
Nov 15 2022
7:06 PM
You don't need any particular license to be able to authenticate using SAML to Azure AD. However, to enable a conditional access policy to require MFA, you do need at least an Azure AD P1 license. Our users get that as part of the M365 Business Premium, so we did not need to purchase that separately. The link below helped me set up the SAML authentication part: AnyConnect Azure AD SAML Configuration - Cisco Meraki Then the conditional access policy to require MFA is also pretty straight forward once you have the license to enable it. In Azure AD, when you're inside the Cisco AnyConnect application that you configured in the previous step, you can click on the Conditional Access tab and it will then create a new policy that is limited in scope to the AnyConnect application only. Add your users and your conditions and you should be ready to test it out.
... View more
Nov 7 2022
5:43 PM
Thanks Amy, @alemabrahao's links did help point me in the right direction. Thanks for your help too.
... View more
Nov 7 2022
5:40 PM
Thanks, I was able to figure out a solution using the links you provided. We decided to use Microsoft MFA instead of Duo MFA for this, but otherwise we got it working. Used the SAML based setup to authenticate the AnyConnect VPN connections via Azure AD. From there we used a conditional access policy to require MFA. Works like a champ!
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 543 | |
| 2 | 1837 | |
| 2 | 44022 | |
| 1 | 4538 | |
| 1 | 24691 |
