Solved: Azure AD SAML Cisco ASA AnyConnect

James Lytle · ‎05-18-2022

I have 2 ASA firewalls that I am configuring the AnyConnect app in Azure AD.

Firewall A works fine, SSO takes care of autologon using MFA in Azure AD.

Firewall B also works, but differently. SSO still handles the autologon using MFA in Azure AD, but additionally a web page titled AnyConnect Secure Mobility Client pops up and says "You have successfully authenticated. You may now close this browser tab."

How on this green earth do I turn that off?!?! It only happens on 1 of the firewalls, and both are configured exactly the same, except, of course, for the base URL and the ca cert that is specific to the app.

It is driving me absolutely insane!

Thank you in advance for any assistance!

James Lytle · ‎08-08-2022

Turns out it was a difference in IOS versions. The one that did NOT have the annoying popup was running 9.10.1, the one that did have the popup was running 9.9.1. Upgraded to 9.10.1, and no popup! Problem solved.

View solution in original post

SinghRaminder · ‎05-18-2022

Can you please provide the output of show run webvpn

And the screenshot you getting?

Thanks

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

James Lytle · ‎05-19-2022

sho run webvpn from firewall that is showing the extra web page:

webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
base-url https://vpn.company.com
trustpoint idp ASDM_MFA_SAML
trustpoint sp 2022_AnyConnect_TrustPoint
no signature
no force re-authentication
tunnel-group-list enable
cache
no disable
error-recovery disable

sho run webvpn from firewall that is working as desired:

webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
base-url https://vpn.company.com
trustpoint idp ASDM_MFA_SAML
trustpoint sp 2022_AnyConnect_TrustPoint
no signature
no force re-authentication
tunnel-group-list enable
cache
no disable
error-recovery disable

screen shot of the unwanted web site attached.

as stated originally both vpn connections work. it's just that this web site is an annoyance, and we are trying to standardize. not sure why one does this and one doesn't.

SinghRaminder · ‎05-19-2022

Are you using any profiles? I just tested mine and it does show me that page but within a blink, it goes away, i am checking my Profiles to remember if there was a setting in addition to minimize the Cisco Anyconnect

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

James Lytle · ‎05-19-2022

I'll put it this way. I am not intentionally using any profiles. Let me check when I get back from my data center run, and I'll see what I can find out.

James Lytle · ‎05-19-2022

This is from the firewall with the page popup:

group-policy REMOTE_ACCESS_POLICY attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-idle-timeout 5
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
split-dns value company.com
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 20
anyconnect profiles value Annyconnect_VPN_Profile type user
anyconnect ask none default anyconnect
always-on-vpn profile-setting

This is from the firewall that works as desired:

group-policy REMOTE_ACCESS_POLICY attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-idle-timeout 5
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
split-dns value company.com
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 20
anyconnect profiles value anyconnect-vpn-company_client_profile type user
anyconnect ask none default anyconnect
always-on-vpn profile-setting

Other references to profiles come from a copy of this policy made by a previous engineer, and the profile reference under the call-home settings. Otherwise, I'm not finding anything different other than names.

SinghRaminder · ‎05-19-2022

Can you compare the two profiles in this scenario. I see there are two profiles here:

Annyconnect_VPN_Profile

anyconnect-vpn-company_client_profile

You can use the VPN profile editor or use notepad++ to compare both XML files while I check on my side as well.

Thanks

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

James Lytle · ‎05-19-2022

So, here's an issue. The profile editor is completely blank! No profiles. Not sure how this has ever worked with standard AnyConnect let alone how the first firewall is working with SAML config! No xml files except for a file called data.xml in a directory called sdesktop on disk0:. Now I'm really confused!

SinghRaminder · ‎05-19-2022

This is interesting, your policy says there are profiles configured and chose

Can you do the output of show disk0:

check your local computer as well, its under C>Program Data>Cisco>Anyconnect>Profiles

changes to the way Anyconnect window behaves is generally done under profiles

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

James Lytle · ‎05-19-2022

--#-- --length-- -----date/time------ path
12 4096 Dec 05 2016 11:06:14 log
14 2546 Nov 24 2021 14:35:11 log/asa-appagent.log
25 4096 Oct 04 2013 15:09:42 crypto_archive
28 4096 Oct 04 2013 15:09:52 coredumpinfo
29 59 Oct 04 2013 15:09:52 coredumpinfo/coredump.cfg
130 89837568 Dec 05 2016 10:41:22 asa962-smp-k8.bin
131 26053720 Dec 05 2016 10:44:46 asdm-762-150.bin
132 4096 Jan 10 2014 03:07:08 tmp
133 5205 Feb 11 2014 06:44:24 oldconfig_2014Feb11_1943.cfg
134 12998641 Oct 04 2013 15:18:02 csd_3.5.2008-k9.pkg
135 4096 Oct 04 2013 15:18:02 sdesktop
151 1462 Oct 04 2013 15:18:02 sdesktop/data.xml
136 110020608 Feb 15 2018 21:45:14 asa991-smp-k8.bin
137 74680647 Jan 21 2020 12:24:20 anyconnect-win-4.8.01090-webdeploy-k9.pkg
138 524266 Mar 04 2020 19:42:48 test.pcap
139 657108 Apr 11 2021 23:39:44 crashinfo_20210411_233930_UTC
26 4096 Mar 07 2014 09:12:36 snmp
27 4 Mar 07 2014 09:12:36 snmp/single_vf
140 671363 Aug 27 2021 16:24:04 crashinfo_20210827_162350_UTC
141 658926 Nov 22 2021 16:53:34 crashinfo_20211122_165322_UTC
142 653268 Nov 24 2021 14:32:58 crashinfo_20211124_143246_UTC
143 656682 Oct 08 2020 19:02:54 crashinfo_20201008_190242_UTC
153 34143680 May 17 2022 15:38:43 asdm-7101.bin

None of the XML files on my local machine make any reference to the URL that is coming up. Not sure which tag to look at.

James Lytle · ‎05-19-2022

not sure what tags to look for in the profile xml files on the local machine.

here's a list of my files from the broken firewall

--#-- --length-- -----date/time------ path
100 108563072 Nov 19 2019 13:58:48 asa982-lfbff-k8.SPA
101 26970456 Nov 19 2019 13:59:18 asdm-782.bin
102 63 May 09 2022 23:13:59 .boot_string
11 4096 Nov 19 2019 14:02:28 log
111 625 Jan 24 2020 14:41:32 log/asa-appagent.log
103 74680647 Jan 22 2020 11:56:28 anyconnect-win-4.8.01090-webdeploy-k9.pkg
104 614974 Jan 24 2020 14:39:38 crashinfo_20200124_143815_UTC
105 111335824 Jan 24 2020 14:56:54 asa984-15-lfbff-k8.SPA
112 4096 Apr 22 2022 08:26:58 snmp
113 4 Apr 22 2022 08:26:58 snmp/single_vf
22 4096 Nov 19 2019 14:06:46 coredumpinfo
23 59 Nov 19 2019 14:06:46 coredumpinfo/coredump.cfg
21 4096 Jan 16 2020 08:58:36 crypto_archive

James Lytle · ‎05-31-2022

Anyone have any other thoughts on this?

SinghRaminder · ‎05-31-2022

Sorry James... I got busy... I will look more into it while someone here tries to assist as well.

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

James Lytle · ‎05-31-2022

i understand busy! it's all good, was just curious if anyone could explain what was up with it. seems odd, unless it's a code version difference. one that works is 9.10 and the one that has the web page to manually close is 9.9. wouldn't think that would cause such a difference, but who knows.

Marvin Rhoads · ‎05-31-2022

I have seen that new page recently on a customer deployment that's using Duo SSO for SAML authentication. I wasn't sure if it was something on the SSO provider side or not. The mini-browser page does auto-close after a few seconds.

I have another customer with a different iDP for SAML auth and their website does not show the success page at all.