02-27-2020 06:04 AM
We are in the process of deploying Azure AD SSO with the Always On VPN enabled. The Azure authentication never completes because the Always On feature is blocking access to the internet. Is there a way to whitelist login.microsoftonline.com within the Always On configuration?
Solved! Go to Solution.
03-03-2020 02:55 AM
Hi,
At this point, always-on VPN does not support exceptions, as it would defeat the purpose of its functionality. However, with more cloud deployments showing up, Cisco could make a change to this feature, if there is enough demand.
Back to your problem, either stop using Always on VPN, or make the authentication happen without the user requiring Internet access; so the authentication scheme you're using needs to work so that the user provides the credentials to the ASA, within the negotiated tunnel, not outside the tunnel as this is prohibited.
Regards,
Cristian Matei.
03-02-2020 06:33 AM
Hi,
I don't think you'd be able to do that because always-on vpn basically drops all traffic except the vpn headend (ASA).
The user/admin guide for Anyconnect does not mention any whitelisting.
Best regards,
Octavian
03-03-2020 02:55 AM
Hi,
At this point, always-on VPN does not support exceptions, as it would defeat the purpose of its functionality. However, with more cloud deployments showing up, Cisco could make a change to this feature, if there is enough demand.
Back to your problem, either stop using Always on VPN, or make the authentication happen without the user requiring Internet access; so the authentication scheme you're using needs to work so that the user provides the credentials to the ASA, within the negotiated tunnel, not outside the tunnel as this is prohibited.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide