Meraki

Community

About CloudViking86

Re: AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by in Security & SD-WAN
‎Mar 14 2022 4:05 AM
‎Mar 14 2022 4:05 AM
Thanks for your reply. As I wrote in a reply to Phillip we already have AzureMFA included and don't pay any additional cost to use it and it makes administration easier and easier for the end-user. Thanks for the suggestion though! ... View more

Re: AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by in Security & SD-WAN
‎Mar 14 2022 4:02 AM
‎Mar 14 2022 4:02 AM
Thank you (once again) for a helpful reply.   I really don't understand why my user seems to fulfill the MFA-requirement, checking the Conditional Access Sign-In Logs and searching for the correlation ID which I got when looking into my "Success"-event;     Activity Details: Sign-ins > Basic Info Additional Details MFA requirement satisfied by claim in the token Activity Details: Sign-ins > Conditional Access Policy Name: Not applicable Activity Details: Sign-ins > Report Only Enforce MFA (Cisco AnyConnect) Require multi-factor authentication Session Control: <blank> Report-only: Success     So I get that if I had a session control on that conditional access policy it could have been satisified when logging into other O365-services but in this case that isn't configured and no other conditional access policies are applied. AzureMFA is also included in our user's licenses so we don't pay anything extra to use AzureMFA since the user's have a license that cover that for other infrastructure needs (Intune etc.).   Weird.   The thing is that we basically don't want another MFA-service. It makes it harder for the end-users to use another app then Microsoft Authenticator and its another thing to administer.   We could go the NPS-route and install the AzureMFA-addon but that would introduce the following problems: * The AzureMFA NPS-addon forces ALL RADIUS-clients to use MFA * RADIUS-servers are shared between IPSec-VPN and AnyConnect VPN meaning that I can't route AnyConnect to specific NPS / RADIUS-servers ... View more

AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

by in Security & SD-WAN
‎Mar 11 2022 6:51 AM
‎Mar 11 2022 6:51 AM
Hello,   I know that you can use RADIUS-authentication and install the NPS-addon for Azure MFA to get MFA however I am wondering if this is also possible when using SAML-authentication to AzureAD and then scoping the Cisco AnyConnect Enterprise App in a Conditional Access policy (which requires MFA)? I've tried getting it to work, i.e.: * Created a policy that scopes both my user and the Cisco AnyConnect enterprise application ** The policy has: Grant: Require multi-factor authentication   When I check the "Insights & Reporting"-log and filter for that policy and the Cisco AnyConnect enterprise app I can see that the policy applies to my user (I can see my sign-in attempt) but my user is in the "Not applied"-category.   I tried creating a dedicated conditional access policy for AnyConnect (since the one I mentioned before has an additional parameter - session control) and with the dedicated policy my user was in the "Success" category. Now I might be tired but I was expecting my user to be in the "User action required"-category (see below) since if the policy was enabled (it's currently in "report only"-mode) I would have needed to authenticate using my AzureMFA.   Conditional Access; Success: Number of users where the selected polic(ies) granted access and the required controls were satisifed Failure: Number of users where the selected polic(ies) denied access and the required controls were not satisfied User action required: Number of users where the selected report-only policy applied but user action (e.g. MFA or Terms of Use) would be required if the policy were enabled. Not applied: Number of users that are bypassing the selected polic(ies) because the sign-in did not match at least one of the assignments or conditions.   Now have I completely misunderstood "Require multi-factor authentication"; Does it actually prompt for MFA or does it simply require that the user has a MFA setup / is enrolled into MFA? If its the former then I don't understand how my login can be "Sucess" since it should have been "User action required" IF it isn't like this: Having Azure MFA on various services I might have already within some magic hidden timeframe  satisfied that requirement i.e. I have authenticated with another service which requires Azure MFA. If it is the latter then I get that my login is a "Success" since my account is enrolled into MFA.   Microsofts documentation about the "grant" - "Require multi-factor authentication"; Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs Sorry for the long post! Best Regards - Karl, Sweden ... View more

Re: VPN DNS - Host name, Not FQDN

by in Security & SD-WAN
‎Mar 22 2021 9:14 AM
‎Mar 22 2021 9:14 AM
Hello,   In the same situation here; * I can specify the DNS-servers for the VPN-adapter (Meraki VPN) which would overwrite the default DNS-server specified in Meraki (such as Google) to resolve FQDN however resolving shortnames such as "mycomputer" as opposed to "mycomputer.ad.mydomain.com" fails since you can't append DNS-suffixes since it is greyed out. You can specify a WINS-server in the VPN-settings; https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Resolving_NetBIOS_names_over_Client_VPN however I fail to see how that would solve that the client knows which domain to append to the shortname i.e. to append "ad.mydomain.com" to "computer1"? Unless its inferred when specifying a WINS-server (i.e. use the domain that the WINS-server belongs to)?  ... View more
© 2025 Cisco Systems, Inc.