I'm authenticating AnyConnect via SAML /AzureAD, but wish to have multiple tunnel groups. I'm aware I'm presently unable to have multiple IPD trustpoints so all users are lumped into the same authentication group, however each tunnel group represents different networks you're able to access, and I need/ want to need to be able to authenticate to both via the same SSO setup.
However when I add the same SAML URL into a 2nd tunnel group, I am able to authenticate fine, but this then breaks access to the original tunnel group that was configured, I get an "Authentication failed due to problem retrieving the single sign-on cookie"
I end up having to tear down the entire config on both the ASA and on Azure and re-issue a new IDP cert to get it all working again.
Re: Authentication multiple tunnel groups via SAML
I suspect this is due to the issue with how th ASA caches the SAML iDP information. That's the same thing that makes us remove and re-add the SAML on a webvpn config whenever we change the iDP parameters.
I'd recommend opening a TAC case to verify.
You may have to consider other access restriction methods like per user or per group ACLs (vpn filter or ISE DACLs).
Quick Overview of TETRA on AMP for EndpointsTETRA AV Signature Bandwidth ConsumptionQuick Overview of ETHOS, SPEROS, DFC and SHA256 LookupETHOS, SPEROS, DFC and SHA256 Lookup Bandwidth ConsumptionConsiderationsTETRAETHOS, SPEROS, DFC and SHA256 Lookup
When I log into my application, I'm suddenly asked to create a new organization. Did something change or migrate? I already had an organization.
You may be starting from security.cisco.com and mistakenly clicking "SecureX sign-on...
I followed these instructions and setup all my accounts to use SecureX sign-on, including my AMP account (my Cisco Security Account - CSA). When I use SecureX, and I click on the AMP "launch" button, I have to login again. Why?
Hi ,I would like to know IP and mac address filtering.i have the one webserver.So i would like to restriction to access to web server.I would like do the whitelist to access webserver. i would like to do both IP and MAC filtering to access server.for exam...
Over the past decade, Cisco has published a wealth of security and threat intelligence information for security professionals interested in the state of global cybersecurity. The Cybersecurity Report Series provides detailed accounts of threat landsc...