The feature I am most interested in is Adaptive Policy. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_Overview  ... View more

Thanks PhilipDAth. If the answer to my question is no, then that's what I was looking for. I know about the other options, but they are not viable for what I'm needing in this specific case. ... View more

I'm going to suggest a completely different method - zero-trust based.   Use a SAML provider such as Cisco Duo or AzureAD/Entra. https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard    From here you can provide lots of restrictions.  For example, you can say that only FIDO2 authentication is acceptable (such as Yubikey).  This is the gold standard at the moment because FIDO2 is phishing-resistant.  You can also choose to use medium-strength MFA with push notifications. Please don't use low strength TXT based authentication.  🙂   If you use Intune with AzureAD and have an Azure AD P1 licence or better, you can create a conditional access policy to say access is only allowed from AzureAD joined computers. If you don't have these licences then Cisco Duo is cheaper.  You can stay only allow access from "trusted endpoints". https://duo.com/docs/trusted-endpoints    If money is no object, I would hands down go with Cisco Duo.  It is usually cheaper as well.  It is very flexible and much easier to drive and manage.   Then you have full ZTNA.  You can access from anywhere, but completely tied down. ... View more

I deployed AnyConnect 5.0.05040 to everyone in my org and updated our MX to 18.107.2. I can confirm the "CSRF token verification failed" issue is no longer present in our environment. Looks like they finally fixed it! ... View more

A low comment says they were able to configure this, but did not test it. ... View more

I got this working following your links - the instructions are long/detailed but easy to follow. Thanks for the resources! ... View more

First let's address the whole concept of SAML and SSO - SSO stands for "single-sign-on".  That means you only need to sign into one system to be signed into every system.  It's the entire premise of using a SSO. I would encourage you to think about the point of using a SSO and then trying to disable SSO.  It's just not quite right ... and you can see why it might be hard to make it do something it was specifically to solve.   Having said that - you can create a condition access policy and specify a session limit.  Alas in Azure the minimum session limit is 1 hour, but this would at least meant AnyConnect sessions more than 1 hour apart would always require a full authentication again.   With nicer SAML providers like Cisco Duo - this is simple a "radio button" style option.     ... View more

SAML support is available, but you need to call Meraki support to have them enable it for the client VPN. That allows you to Auth straight to Duo, Okta, AzureAD, etc, without the RADIUS server.   https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication   I'm still not sure of what kind of policy control you'd be able to apply, though. ... View more

Thanks Bo_Tang, this actually worked! I didn't think it would as the client VPN has it's own different subnet. But hey I'll take the W!   Thanks again! ... View more

So it is. Thanks. ... View more

thanks a lot big Bro ... View more

Another +1 from May 2022, after creating a bunch of policy objects as well.    2 Years in Beta for something that almost every competing firewall has had for years...? ... View more

@WarrenG did you manage to find a workaround? i'm in the same dilemma - blocked access to/from china and need to allow one domain... ... View more

Thanks @Paul_H, I'm going to try Philips method first and will come back to this if I can't get that working. Thanks again! ... View more

@WarrenG no offence taken, I was merely explaining the confusion 🙂 ... View more

Nolan,   Will the Network Objects be limited to only Access Rules? I am dying for it to be available in the port forwarding rules section too. Have a large number of inbound client connections that I need to allow ideally based on FQDN.   Thanks, Warren ... View more

Are you using Server 2012 R2 or something newer? I ask because I had a similar issue getting this to work using a Server 2019 server. That's until I found that Server 2019 has a bug that prevents NPS from working correctly. See if this might be useful at all in your particular situation:   https://www.risual.com/2019/03/windows-2019-server-nps-bug/ ... View more

@WarrenG How did you get on ?   ... View more

Unfortunately that does not appear to work ... View more

Thanks all, much appreciate the feedback. I think we have decided to just use CAT6 for these switches instead of fiber. ... View more

+1 for what @PhilipDAth said.  RADIUS would be your easiest route.  You can add NPS to a windows server and configure 802.1x to send authorized devices to a trusted VLAN and non authorized devices to a guest VLAN on the Meraki side.  ... View more