cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1565
Views
0
Helpful
7
Replies

Azure AD MFA with Cisco AnyConnect not working

SPoodari
Beginner
Beginner

Simple setup but going me crazy since yesterday. 

 

Cisco ASA Firepower 1010 with Anyconnect integration to Azure SAML. 

I have followed the Cisco and MIcrosoft documents and configured exactly as mentioned (for about 5 times literally till now). 

While i'm trying to connect, i can see the Azure login prompt, Azure singing me in, then HTML page not found response coming. 

This vpn.company.com page can’t be found

No webpage was found for the web address: https://vpn.compnay.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA

HTTP ERROR 404

 

I've enabled debugs and couldn't find anything. 

 

Mar 30 17:29:24 [SAML] get_lasso_signature_method:
Use SHA256 in SAML Request
Mar 30 17:29:24 [SAML] saml_add_config: SAML config added to list

SAML AUTH: SAML hash table cleanup periodic task
Public archive directives retrieved from cache for index 1.
Mar 30 17:29:37
[SAML] build_authnrequest:
https://login.microsoftonline.com/23e274fb-1240-4362-9b03-6b133e33c70e/saml2?SAMLRequest=fVLLTsMwEPyVyPfEsd0m1GorhT6kSoAQIA5ckJtuqCXHDl6nPL4eJwipHOA6O7M7M%2FYcVWs6WfXhaO%2FgtQcMyXtrLMpxsCC9t9Ip1CitagFlqOV9dX0leZbLzrvgamfImeR%2FhUIEH7SzJNmtF%2BSZbTe5K...
[SAML] saml_is_idp_internal: getting SAML config for tg Azure-MFA
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task

 

 

1 Accepted Solution

Accepted Solutions

Jostein
Beginner
Beginner

We had the same fault. Runnin 7.0.1 ftd.

 

Had to change url in app settings in azure.

Replace the capital letters as follows.

 

 https://vpn.compnay.com/+CSCOE+/saml/sp/acs?tgname=Azure-MFA

 

This worked for us, neither TAC or our cisco partner where able to figure it out.

 

View solution in original post

7 Replies 7

Jitendra Kumar
Rising star
Rising star

Hi ,

 

there is possible you missed any steps.

 

Please follow below tutorial that will guide you to step by step SAMLconfig .

 

https://www.youtube.com/watch?v=ORC0_0wsbQk

 

Thanks,

Jitendra 

Thanks,
Jitendra

Hi Jitendra,

 

I have followed literally each and every video on youtube on this. 

but just now its came into light, that do we need anyconnect apex licenses for this to work? Any idea?

As per the documentation only Apex support SAML, we have AnyConnect VPN Peers. 

 

 

Sampath

Jitendra Kumar
Rising star
Rising star

I can see apex licenses added more capabilities to any connect VPN.

 

Below are the documents where SAML Authentication is also included.

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc8

 

Also you can take help from below documents if its help you.

 

https://www.optanix.com/practical-guide-deploying-saml-anyconnect/

Thanks,

Jitendra

Thanks,
Jitendra

Jostein
Beginner
Beginner

We had the same fault. Runnin 7.0.1 ftd.

 

Had to change url in app settings in azure.

Replace the capital letters as follows.

 

 https://vpn.compnay.com/+CSCOE+/saml/sp/acs?tgname=Azure-MFA

 

This worked for us, neither TAC or our cisco partner where able to figure it out.

 

That's true, same worked for me as well. in my URL we have SAML/SP/ACS in caps.

The URL is freaking case sensitive.. where in the world a URL is case sensitive only god knows. 

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

@SPoodari the value of the tgname in  https://vpn.compnay.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA is case sensitive. The tgname is the tunnel-group (or connection profile as referred to in ASDM) that is using SAML authentication. You should be able to verify it by point to the metadata page for the tunnel-group (as referenced in your AnyConnect enterprise app in Azure AD).

FYI the portion of a URL after the domain name (sometimes referred to as the URI) is and has always been case-sensitive.

not only case sensitive, the syntax is already different. Microsoft says:

htetepes : / / YOUR_CISCO_ANYCONNECT_FQDN/+CSCOE+/SAML/SP/ACS 

Thanks to the solution in this thread I finally made it... took 2 days to sort everything out...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers