Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Configuring Certificate and SAML Based Authentication with Meraki AnyConnect VPN

Introduction

SecureW2’s JoinNow Connector PKI can be used to issue certificates to devices via SAML to enable secure, passwordless authentication with Meraki’s AnyConnect VPN.

This guide will show you how to configure AnyConnect VPN to use a certificate generated by SecureW2’s PKI services, in addition to authenticating against your SAML IDP provider to verify users, for secure VPN authentication.

Prerequisites

To set-up Anyconnect with credentials, the following conditions must be met:

  1. An active Meraki Cloud account subscription.
  2. The SAML Authentication feature has been enabled by Meraki Support.
  3. Active JoinNow Portal subscription.

Creating a SAML Application

SecureW2 acts as an authority to verify user identities and issue X.509 certificates. It integrates with the SAML provider’s user database and uses a Public Key Infrastructure (PKI) to authenticate user data that is contained in the SAML application. This ensures that users connect to the authentic SAML provider, and vice versa.

  1. Log in to Azure Portal and select Azure Active Directory.
  2. Select Enterprise Applications.
  3. Click New Application.
  4. Type AnyConnect in the search box, select Cisco AnyConnect from the results panel. Click the app.
  5. Give a name for the App and click Create.
  6. Select the Set up single sign on.
  7. Click SAML.
  8. In the Basic SAML Configuration section, fill in the Entity ID and Reply URL as follows:
    1. If your AnyConnect Server URL is “vtk-qpjgjhmpdh.dynamic-m.com” (this URL is different for every network), the Entity ID and Reply URL will be configured as follows:
      • Identifier (Entity ID) – https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/metadata/SAML
      • Reply URL (Assertion Consumer Service URL) – https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/acs
  9. In the SAML Certificates section, download the Federation Metadata XML file and save it on your computer. This file should be uploaded in the Meraki portal.
  10. On the left pane, click Users and groups.
  11. Click Add user/group.
  12. Click None Selected.
  13. In the Search box, enter the name of the user and select the user. The users will be added to the application as below:

Certificate Enrollment for Devices

SecureW2’s PKI services provide certificate enrollment facilities by which devices can enroll for user and device certificates. Users can enroll for certificates via the following protocols:

  1. SAML based certificate enrollment: Click here to learn how to configure SecureW2 with Azure for SAML based enrollment
  2. MDM SCEP gateway for certificate enrollment: Click here to learn how to configure SecureW2 with Intune for SCEP based enrollment

Configuring Meraki for SAML based authentication

Log-in to the Meraki dashboard and follow the below steps to configure SAML based authentication with Meraki VPN.

  1. Under the AnyConnect Settings tab, follow the settings as displayed below in the screenshots:
  2. Under the Authentication and Access section, select Authentication Type as SAML.

    NOTE: SAML Authentication is not enabled by default. If you don’t see it in your Meraki Dashboard, you will need to reach out to Meraki Support and request it to be added.

  3. In the Certificate Authentication section, select Enabled.
  4. Navigate to PKI > Certificate Authorities in the JoinNow Management Portal. Download your Root CA and Intermediate CA certificates by clicking the Download button under Functions.
    1. Open the certificates in a textpad and copy the content, first from the intermediate certificate and then from the root certificate.
    2. Paste both certificate keys into a text file. Save the .txt file for upload to Meraki Anyconnect VPN.
  5. Click Choose File to select the certificate (text file) you created in the earlier step.
  6. Configure your AnyConnect URL – for example

    https://vtk-qpjgjhmpdh.dynamic-m.com this URL is different for every network)

    (add “:port” to the end of the URL if using a port other than the default port 443)

    Please ensure your AnyConnect URL starts with “https://”
  7. In the SAML Metadata File section, click Choose File. Upload the metadata file saved from earlier.
  8. In the AnyConnect VPN subnet field, enter the subnet value for your VPN.
  9. Click Save.
  10. Navigate to the Downloads folder of your device and select the AnyConnect Secure Mobility Client zip package. Run the Setup as administrator.
  11. After the setup is complete, please open the AnyConnect Secure Mobility Client application.
  12. Under Client Connection Details, copy the URL adjacent to Hostname. Open the Cisco Secure Client and paste the URL in the AnyConnect VPN section. Click Connect.
  13. A dialog box for entering Username and Password appears. Please enter your Meraki credentials and click OK.
  14. After successful connection, the Cisco welcome dialog box opens. Click Accept.
  15. By clicking on AnyConnect VPN, a widget opens. Click Message History. In the event of successful connection, a success message appears.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing