Re: Authentication flow using Secure Client, Entra ID and Access Manage

Aussietramp · ‎01-26-2026

Hi,

I would like to authenticate:

external suppliers
connecting via Cisco Secure Client (AnyConnect)
authenticating against Entra ID
using Access Manager as the NAC solution

In short, the idea is the following:
using the existing AnyConnect client, users connect to the vMX, and through Access Manager policies, the authentication request is forwarded to Entra ID.

Is this scenario supported and technically feasible?

M.

aleabrahao · ‎01-26-2026

It cannot receive a SAML request from the MX and forward it to Entra ID. Access Manager is not designed to authenticate VPN connections Its purpose is enforcing identity-based rules for network edges (switch/AP), not VPN hubs.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Philip D'Ath · ‎01-26-2026

Also note that typically, you can only authenticate "member" users in your Entra ID.

You can authenticate Secure Client users directly against Entra ID (Access Manager is not required).

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration

Aussietramp · ‎01-27-2026

Hi Philip,

since i have few type of suppliers, can i give different group-policies? and where can i configure the group policies? cause in the MX there is only one group-policy to configure under the client-VPN-anyconnect section.

Thanks in adavance to both of you.

Philip D'Ath · ‎01-27-2026

I don't know if it is documented anywhere, but I explain how to apply per group policies here.

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/245513/highlight/true#M54881