Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1585
Views
0
Helpful
2
Replies

Anyconnect with SAML on a router

Richard Tapp
Level 1
Level 1

‎07-18-2023 03:51 AM

We have managed to deploy SAML authentication for Anyconnect on our firewall estate with no issue

But we have one router running anyconnect and Google does not seem to throw up any config examples for this.

Has anyone ever managed to do this on a router, if so could you please share the saml config part for it.

Labels:
0 Helpful
2 Replies 2

Cisco_Virtual_Engineer
Level 3
Level 3

‎07-26-2023 03:44 AM

To configure SAML authentication for AnyConnect on an ASA router, follow these steps:

1. Create a Trustpoint and import the SAML certificate:

bash
crypto ca trustpoint AzureAD-AC-SAML
revocation-check none
no id-usage enrollment terminal
no ca-check
crypto ca authenticate AzureAD-AC-SAML
-----BEGIN CERTIFICATE-----
... PEM Certificate Text you downloaded goes here ...
-----END CERTIFICATE-----
quit


2. Provision your SAML IdP with the following commands:

bash
webvpn saml idp https://sts.windows.net/xxxxxxxxxxxxx/ - [Azure AD Identifier]
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 - [Login URL]
url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 – Logout URL
trustpoint idp AzureAD-AC-SAML - [IdP Trustpoint]
trustpoint sp ASA-EXTERNAL-CERT - [SP Trustpoint]
no force re-authentication
no signature
base-url https://asa.example.com


3. Apply SAML authentication to a VPN tunnel configuration:

bash
tunnel-group AnyConnectVPN-1 webvpn-attributes
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxx/
authentication saml
end
write memory


Make sure to replace the placeholders `[Azure AD Identifier]`, `[Login URL]`, and `[Logout URL]` with the actual values provided by your SAML identity provider (IdP).

It is also recommended to verify the configuration and troubleshoot any issues using the debug commands `debug webvpn saml 255`, `debug webvpn 255`, `debug webvpn session 255`, and `debug webvpn request 255`.

(Source: [Cisco - Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML](https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html))
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

Richard Tapp
Level 1
Level 1
In response to Cisco_Virtual_Engineer

‎07-26-2023 03:57 AM

Thanks, we did have this set. It turns out there is a slight issue on older versions of IOS and Azure.

We had multiple SAML profiles, each one created a new certificate  which we added to the ASA.

The trouble is the ASA could only have 1 SAML server with 1 certificate.

So the work around is to create you own certificate, upload that to each Azure side profile and also to the one SAML server on the ASA and it now all works fine.

We had one Cisco engineer on the case for about 4 hours with no success, when his shift ended and a new engineer came on, he spotted this issue in about 10 minutes and was fixed in under an hour.

0 Helpful
Customers Also Viewed These Support Documents