Cisco Meraki Anyconnect

| Posted on by



AnyConnect supports authentication with either RADIUS, Active Directory, or Meraki Cloud. For more details on AnyConnect configuration, refer to the AnyConnect configuration guide.

Cisco AnyConnect Secure Mobility Client v4.x AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.10 08-Apr-2021 AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.9 12-Oct-2020. Cisco Meraki support says that because there is 'latency' to 8.8.8.8, that the Internet Connection is the source of our problems. I know that Google limits ICMP traffic and I told the call center support that this was not the issue - saying that, I do not lose consistent pings to Google DNS or other tested sites from a workstation hard-wired.

Anyconnect

Note: Systems Manager with Sentry is not supported with AnyConnect.
Note: SAML authentication is not supported at this time.

Meraki Cloud Authentication


Note: IPsec must be enabled and users must be authorized on the IPsec settings tab.
Use this option if an Active Directory or RADIUS server is not available, or if VPN users should be managed via the Meraki Cloud. To add or remove users, use the User Management section at the bottom of the page. Add a user by clicking 'Add new user' and entering the following information:

  • Name: Enter the user's name.

  • Email: Enter the user's email address.

  • Password: Enter a password for the user or click 'Generate' to automatically generate a password.

  • Authorized: Select whether this user is authorized to use the client VPN.

To edit an existing user, click on the user under the User Management section. To delete a user, click the X next to the user on the right side of the user list.

Meraki

When using Meraki-hosted authentication, the user's email address is the username that is used for authentication.


RADIUS


Use this option to authenticate users on a RADIUS server. Click Add a RADIUS server to configure the server(s) to use. Enter in the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.

Note: Only one RADIUS server is supported for authentication with AnyConnect today.


Add MX security appliance as RADIUS clients on the NPS server.

In order for the MX to act as an authenticator for RADIUS, it must be added as a client on NPS.

  1. Open the NPS server console by going to Start > Programs > Administrative Tools > Network Policy Server.

  2. In the left-side pane, expand the RADIUS Clients and Servers option.

  3. Right-click the RADIUS Clients option and select New.

  4. Enter a Friendly Name for the MX security appliance or Z teleworker gateway RADIUS client.

  5. Enter the IP address of your MX security appliance or Z teleworker gateway. This IP will differ depending on where the RADIUS server is located:

    • On a local subnet: use the IP address of the MX/Z on the subnet shared with the RADIUS server

    • Over a static route: use the IP address of the MX/Z on the subnet shared with the next hop

    • Over VPN: use the IP address of the MX/Z on the highest-numbered VLAN in VPN

  6. Create and enter a RADIUS Shared Secret (make note of this secret, you will need to add this to the dashboard).

Note: Currently only ASCII characters are supported for RADIUS shared secrets, unicode characters will not work correctly.

  1. Press OK when finished.

Cisco Meraki AnyconnectMerakiCisco meraki vpn client

For additional information or troubleshooting assistance, please refer to Microsoft documentation on RADIUS clients.

Configure a RADIUS Connection Request

  1. In the NPS server console, navigate to Policies > Connection Request Policies. Right-click the Connection Request Policies folder and select New.

  2. In the Connection Request Policy Wizard, enter a policy name and select the network access server type unspecified, then press Next.

  3. Click Add to add conditions to your policy. Access-request messages will need to meet these conditions to be allowed access.

  4. From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next

  5. Press Next on the next three pages of the wizard to leave the default settings intact.

  6. Review the settings, then press Finish.


Configure a RADIUS Network Policy.

  1. In the left-side pane of the NPS server console, right-click theNetwork Policies option and select New.

  2. In the Network Policy Wizard enter a policy name and select the network access server type unspecified, then press Next.

  3. Click Add to add conditions to your policy.

  4. From the list of conditions, select the option for Windows Groups. Click Add Groups and enter the name you would like to give client VPN permission to.

  5. From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next.

  6. Leave the default settings on the Specify Access Permission page and press Next.

  1. Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed, press No to continue, and press Next. Refer to this doc for security information about using PAP.

  2. Press Next on the next two pages of the wizard to leave the default settings intact.

  3. Review the settings, then press Finish.


Active Directory

Use this option if user authentication should be done with Active Directory domain credentials. You will need to provide the following information:

  • Short domain: The short name of the Active Directory domain.

  • Server IP: The IP address of an Active Directory server on the MX LAN.

  • Domain admin: The domain administrator account the MX should use to query the server.

  • Password: Password for the domain administrator account.

For example, considering the following scenario: Users in the domain test.company.com should be authenticated using an Active Directory server with IP 172.16.1.10. Users normally log in to the domain using the format 'test/username' and you have created a domain administrator account with username 'vpnadmin' and password 'vpnpassword'.

  • The Short domain would be 'test'

  • The Server IP would be 172.16.1.10.

  • The Domain admin would be 'vpnadmin'

  • The Password would be 'vpnpassword'

Note: Only one AD server can be specified for authentication with AnyConnect at the moment. The MX does not support mapping group policies via Active Directory for users connecting through the client VPN. Refer to this document for more information on integrating with client VPN.


Certificate-based authentication

The AnyConnect server on the MX supports client certificate authentication as a factor of authentication. If certificate authentication is enabled, the AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials. AnyConnect on the MX does not support certificate-only authentication at this time. Authenticating users must input credentials once certificate authentication succeeds. If certificate authentication fails, the AnyConnect client will report certificate validation failure.

Multi-Factor Authentication with RADIUS or Active Directory as a Proxy

MFA is not natively supported on the MX, however, you can configure MFA with your RADIUS or Active Directory server. The MFA challenge takes place between the RADIUS/Active Directory/Idp and the user. The MX will not pass any OTP or PINs between the user and RADIUS. The user connects to the MX and gets prompted for username and password, the MX passes credentials to the RADIUS or AD server, then the RADIUS or AD server challenges the user directly (not through the MX). The user responds to RADIUS or AD server, possibly via push notification, etc, then the RADIUS or AD server tells the MX that the user has successfully authenticated. Only then is the user allowed access to the network. Refer to this document for more information on authentication.

RADIUS Time-Out

The default RADIUS time-out is three seconds. This is how long the AnyConnect server will wait for a response from the RADIUS sever before failing over to a different RADIUS server or ignoring the response entirely. To support two-factor authentication, you can increase the RADIUS time-out by modifying the RADIUS time-out field on the AnyConnect Settings page. The configurable time-out range is 1 - 300 seconds.

For additional information, refer to the AnyConnect configuration guide.

Client Download

Unlike the ASA, the MX does not support web deploy or web launch, a feature that allows end users to access a web page on the AnyConnect server to download the AnyConnect client. With the MX, there are download links to the client software on the AnyConnect settings page on the dashboard, however, the download links are only available to the Meraki dashboard admin and not the end user. We do not recommend sharing the down link with users as the link expires after every five minutes of loading the AnyConnect settings page.

We recommend downloading the AnyConnect client directly from Cisco.com as there may be an updated version in the Cisco repository. Refer to the doc for the AnyConnect clientrelease notes. We also recommend using either Meraki Systems Manager, an equivalent MDM solution, or Active Directory to seamlessly push the AnyConnect software client to the end user's device.

AnyConnect requires a VPN client to be installed on a client device. The AnyConnect client for Windows, MacOS, and Linux are available on the Client Connection section of the AnyConnect configuration page on the dashboard and can be downloaded by a Meraki dashboard administrator. Please note, the download links on the Meraki dashboard expire after five minutes. The AnyConnect client for mobile devices can be downloaded via the respective mobile stores. You can also download other versions (must be version 4.8 or higher) of the AnyConnect client from Cisco.com if you have an existing AnyConnect license. AnyConnect web deploy is not supported on the MX at this time.

  • Installing the AnyConnect client
  • You only need the VPN box checked. Once the client has been installed on the device, open the AnyConnect application and specify the hostname or IP address of the MX (AnyConnect server) you need to connect to.

AnyConnect Profiles

Cisco Meraki Anyconnect Password

An AnyConnect profile is a crucial piece for ensuring easy configuration of the AnyConnect client software, once installed. The MX does not support the use of custom hostnames for certificates (e.g. vpn.xyz.com). The MX only supports use of the Meraki DDNS hostname for auto-enrollment and use on the MX. With the Meraki DDNS hostname (e.g. mx450-xyuhsygsvge.dynamic-m.com) not as simply as a custom hostname, the need for AnyConnect profiles cannot be overemphasized. Profiles can be used to create hostname aliases, thereby masking the Meraki DDNS with a friendly name for the end user.

Cisco AnyConnect client features are enabled in AnyConnect profiles. These profiles can contain configuration settings like server list, backup server list, authentication time out, etc., for client VPN functionality, in addition to other optional client modules like Network Access Manager, ISE posture, customer experience feedback, and web security. It is important to note that at this time, the Meraki MX does not support other optional client modules that require AnyConnect head-end support. For more details, see AnyConnect profiles.

When a profile is created, it needs to get pushed to the end user's device. There are three ways to do this.

1. Through the AnyConnect server (MX): If profiles are configured on the dashboard, the MX will push the configured profile to the user's device after successful authentication.
2. Through an MDM solution: Systems Manager, an equivalent MDM solution, or Active Directory can be used push files to specific destinations on the end user's device. Profiles can also be pushed to the following paths:

Windows
%ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile

Mac OS X
/opt/cisco/anyconnect/profile

Linux
/opt/cisco/anyconnect/profile

3. Manually: Profiles can also be preloaded manually to the same paths as listed above.

How to Create a Profile

Profiles can be created using the AnyConnect profile editor. The profile editor can be downloaded from the AnyConnect Settings page on dashboard or on cisco.com. Refer to this link for more details on AnyConnect profiles.

Cisco Meraki Anyconnect Download

Using the profile editor: The profile editor can be downloaded from the AnyConnect Settings page on dashboard or on Cisco.com. The profile editor only runs on Windows operating systems. The screenshot below shows a configured server ton the Server List Entry option.

Meraki Anyconnect Vpn

When configuration is complete, save the profile. It is recommended to use a unique file name to avoid profile overrides by other AnyConnect servers, then you can upload the file to the profile update section on the AnyConnect settings page.

Cisco Meraki Anyconnect

Please note that only VPN profiles are supported on the MX at this time. This means you cannot push NVM, NAM, or Umbrella profiles via the MX.

Cisco Meraki Anyconnect

  • Select enable profiles, upload your xml file, and save your configuration
  • After a user successfully authenticates, the configured profile gets pushed to the user's device automatically
  • The result of the .xml can be seen below, after successful authentication to the AnyConnect server; this gives users the ease of selecting VPN servers on the AnyConnect client
    The Meraki DDNS hostname is not easy to remember, therefore end users are not expected to use it directly. Profiles should be used to make connecting to the AnyConnect server easy for end users.