Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5995
Views
6
Helpful
14
Replies

Azure AD MFA with Cisco AnyConnect not working

Go to solution
SPoodari
Level 1
Level 1

‎03-29-2022 11:43 PM

Simple setup but going me crazy since yesterday. 

 

Cisco ASA Firepower 1010 with Anyconnect integration to Azure SAML. 

I have followed the Cisco and MIcrosoft documents and configured exactly as mentioned (for about 5 times literally till now). 

While i'm trying to connect, i can see the Azure login prompt, Azure singing me in, then HTML page not found response coming. 

This vpn.company.com page can’t be found

No webpage was found for the web address: https://vpn.compnay.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA

HTTP ERROR 404

 

I've enabled debugs and couldn't find anything. 

 

Mar 30 17:29:24 [SAML] get_lasso_signature_method:
Use SHA256 in SAML Request
Mar 30 17:29:24 [SAML] saml_add_config: SAML config added to list

SAML AUTH: SAML hash table cleanup periodic task
Public archive directives retrieved from cache for index 1.
Mar 30 17:29:37
[SAML] build_authnrequest:
https://login.microsoftonline.com/23e274fb-1240-4362-9b03-6b133e33c70e/saml2?SAMLRequest=fVLLTsMwEPyVyPfEsd0m1GorhT6kSoAQIA5ckJtuqCXHDl6nPL4eJwipHOA6O7M7M%2FYcVWs6WfXhaO%2FgtQcMyXtrLMpxsCC9t9Ip1CitagFlqOV9dX0leZbLzrvgamfImeR%2FhUIEH7SzJNmtF%2BSZbTe5K...
[SAML] saml_is_idp_internal: getting SAML config for tg Azure-MFA
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jostein
Level 1
Level 1

‎04-20-2022 07:25 AM

We had the same fault. Runnin 7.0.1 ftd.

 

Had to change url in app settings in azure.

Replace the capital letters as follows.

 

 https://vpn.compnay.com/+CSCOE+/saml/sp/acs?tgname=Azure-MFA

 

This worked for us, neither TAC or our cisco partner where able to figure it out.

 

View solution in original post

14 Replies 14

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎03-30-2022 01:47 AM

Hi ,

 

there is possible you missed any steps.

 

Please follow below tutorial that will guide you to step by step SAMLconfig .

 

https://www.youtube.com/watch?v=ORC0_0wsbQk

 

Thanks,

Jitendra 

Thanks,
Jitendra
Cisco VPN: ASA and Microsoft Azure AD with MFA using SAML
Cisco VPN: ASA and Microsoft Azure AD with MFA using SAML
youtube.com/watch?v=ORC0_0wsbQk
In this video we will configure the Anyconnect Application within Azure AD enterprise applications for integration. We will assign HR1, IT1, and Sales1 users to the application. We will then move to the ASA and finalize the configuration and finish off with some testing I have included the ...
0 Helpful

Go to solution
SPoodari
Level 1
Level 1
In response to Jitendra Kumar

‎03-30-2022 02:04 AM

Hi Jitendra,

 

I have followed literally each and every video on youtube on this. 

but just now its came into light, that do we need anyconnect apex licenses for this to work? Any idea?

As per the documentation only Apex support SAML, we have AnyConnect VPN Peers. 

 

 

Sampath

0 Helpful

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎03-30-2022 02:27 AM - edited ‎03-30-2022 02:44 AM

I can see apex licenses added more capabilities to any connect VPN.

 

Below are the documents where SAML Authentication is also included.

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc8

 

Also you can take help from below documents if its help you.

 

https://www.optanix.com/practical-guide-deploying-saml-anyconnect/

Thanks,

Jitendra

Thanks,
Jitendra
0 Helpful

Go to solution
Mike Schooley
Level 1
Level 1
In response to Jitendra Kumar

‎02-20-2023 06:11 AM

also worked for me, changed SAML and SP to lowercase and worked.

0 Helpful

Go to solution
Jostein
Level 1
Level 1

‎04-20-2022 07:25 AM

We had the same fault. Runnin 7.0.1 ftd.

 

Had to change url in app settings in azure.

Replace the capital letters as follows.

 

 https://vpn.compnay.com/+CSCOE+/saml/sp/acs?tgname=Azure-MFA

 

This worked for us, neither TAC or our cisco partner where able to figure it out.

 

Go to solution
SPoodari
Level 1
Level 1
In response to Jostein

‎04-20-2022 08:18 PM

That's true, same worked for me as well. in my URL we have SAML/SP/ACS in caps.

The URL is freaking case sensitive.. where in the world a URL is case sensitive only god knows. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-21-2022 01:21 AM - edited ‎10-04-2022 06:19 AM

@SPoodari the value of the tgname in  https://vpn.company.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA is case sensitive. The tgname is the tunnel-group (or connection profile as referred to in ASDM) that is using SAML authentication. You should be able to verify it by point to the metadata page for the tunnel-group (as referenced in your AnyConnect enterprise app in Azure AD).

FYI the portion of a URL after the domain name (sometimes referred to as the URI) is and has always been case-sensitive.

0 Helpful

Go to solution
Erik Hoffmann
Level 1
Level 1
In response to Marvin Rhoads

‎08-16-2022 02:51 AM

not only case sensitive, the syntax is already different. Microsoft says:

htetepes : / / YOUR_CISCO_ANYCONNECT_FQDN/+CSCOE+/SAML/SP/ACS 

Thanks to the solution in this thread I finally made it... took 2 days to sort everything out...

0 Helpful

Go to solution
sysad43
Level 1
Level 1
In response to Erik Hoffmann

‎10-04-2022 05:40 AM

Having trouble with this myself. Are you all saying whats in the cisco AND MS doc is wrong? They both say

htps/<YOUR_CISCO_ANYCONNECT_FQDN>/+CSCOE+/saml/sp/acs?tgname=<Tunnel_Group_Name> 

but its needs to all be caps?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sysad43

‎10-04-2022 06:22 AM

@sysad43 the section <YOUR_CISCO_ANYCONNECT_FQDN> is not case-sensitive. You replace your VPN address with that section (omitting the <> symbols). The remainder of the URI is case-sensitive, including the +CSCOE+ string and <Tunnel_Group_Name> section. For the last section, replace your tunnel-group name exactly as it appears in your running configuration, including any capitalization.

0 Helpful

Go to solution
sysad43
Level 1
Level 1
In response to Marvin Rhoads

‎10-04-2022 06:25 AM

Right, but above people seem to be saying that the SAML/SP/ACS part also needs to be caps. It isnt in the docs. 

0 Helpful

Go to solution
sysad43
Level 1
Level 1

‎10-06-2022 06:35 AM

Ive tried it both ways and still get same 404 error after MFA signin. One thing Im unsure of is, do I need to enable SSL access on the outside interface for this to work? We only have IKE2 enabled.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sysad43

‎10-06-2022 10:43 AM

@sysad43  Azure AD will be replying to the firewall via https to the SP (service Provider in SAML terminology) URL so, yes, SSL must be enabled.

0 Helpful

Go to solution
sysad43
Level 1
Level 1
In response to Marvin Rhoads

‎10-12-2022 05:35 AM

I figured as much. Im just subbing as the network admin while we try to find someone who wants the job, so Im learning as I go. I will try this as soon as I get the latest interim patch installed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card