Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4220
Views
0
Helpful
4
Replies

Cisco AnyConnect VPN FTD integration with Azure AD SAML

devnetwise
Level 1
Level 1

‎11-01-2021 02:16 PM

Hi fellow users, 

 

I'm running into an issue and I hope someone can help me in right direction.

 

I have configured Azure AD SSO and MFA together with Cisco AnyConnect VPN on FTD and it's working fine. I got two different internet connections for fallback if the primary line is down. How do I configure this kind of redundancy while integrating Cisco AnyConnect VPN with Azure AD SSO?

 

In Azure AD portal you add an enterprise application (Cisco AnyConnect in this case) and the an Azure AD Identifier is created and then we should enter base vpn url.

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

 

I have created two enterprise applications for Cisco AnyConnect with two different vpn base urls (one each for two different internet connections). 

 

On Cisco FMC I created two SAML SSO servers and want to create two VPN profiles one each for two different internet connections. When I try to deploy I'm getting an error that Azure AD Identifiers are identical! 

 

Can anyone help me how to solve this issue and maybe there is a better way to solve this issue. 

 

Sincerely,

Sal 

 

 

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎11-01-2021 07:29 PM

Hi,

But why you create two SSO Idp objects.? You should create one for Azure
and use it in both VPN profiles. The Idp details will be same for both
profiles so you don't need to duplicate. You just need to reuse.

On Azure side keep both applications for different vpn urls but on FTD you
can use single SSO Idp and share it with both VPN profiles.

**** please remember to rate useful posts
0 Helpful

devnetwise
Level 1
Level 1
In response to Mohammed al Baqari

‎11-02-2021 01:23 AM

Hi Mohammad,

 

Thanks for your reply. I have tried to leave the base url blank but when I try to connect to one of the two Cisco Anyconnect VPN URLs (https://ftd.lab.local and https://fallbackvpn.lab.local), it's giving a certificate error and it's stops working. The screenshot is just an example. I'm using a wildcard certificate signed by 3rd Party CA.

 

Screenshot 2021-11-02 092021.png

 

Regards,

Sal

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to devnetwise

‎11-02-2021 03:25 AM

Ok, now I got your question. Try to leave it blank and it should pick the
FQDN from each FTD.


***** please remember to rate useful posts
0 Helpful

dtfletch83
Level 1
Level 1

‎02-28-2023 09:25 PM - edited ‎02-28-2023 09:48 PM

Hi Sal, 

I'm trying to do the same thing at the moment, how'd you end up getting around this?

I'm still in the planning stage for haven't tried any config just yet, but can you have multiple Entity ID and Reply URL's in one AAD Enterprise App?

eg. 

https://FTD1.test.com/saml/sp/metadata/<TUNNEL-GROUP>
and
https://FTD2.test.com/saml/sp/metadata/<TUNNEL-GROUP>

Alternatively, I assume using the override feature when you define the Single Sign-on Server on the FMC might also be an option?

0 Helpful
Customers Also Viewed These Support Documents