Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2736
Views
1
Helpful
3
Replies

Configure AnyConnect on FMC with Azure AD MFA with SAML

atsukane
Level 1
Level 1

‎07-10-2023 06:38 AM

Hi All,

I'm trying to configure AnyConnect VPN using Azure AD, MFA and SAML.

FMC and FTD are running 7.2.4.

I've followed this YouTube channel, first thing on the FMC is to enrol CA only certificate using the BASE64 cert downloaded from Azure AD, ID certificate is not available at this stage, and this is used as the IDP on SSO server settings. In here, I've used 3rd party signed certificate for the vpn fqdn (q.g. anyconnect.corpname.com) in pkcs12 format as the Service Provider Certificate, then went on to configure a new tunnel group, but upon finishing the wizard I receive "CA Only cert Azure-AD-IDP not allowed for SSL Global Identity Certificate". 

https://www.youtube.com/watch?v=G-e0drDu7fU

I'm lost as to how to complete this and enable SAML SSO with MFA.

Any suggestions is very much appreciated.

 

Thanks,

 

Labels:
0 Helpful
3 Replies 3

atsukane
Level 1
Level 1

‎07-10-2023 07:39 AM

Turns out, I just needed to change the Authentication Method from "SAML" to Client Certificate & SAML", which then allowed me to select the Identity cert that's signed by 3rd party and able to finish saving the config.

atsukane_0-1688999724941.png

However, I'm now getting the certificate validation error from AnyConnect client.

Access from browser sends me to AD auth, but to the onprem ADFS server rather than Azure AD.

Not sure if this is us being the Hybrid environment or something else.

I'll have a chat with MS guys and report back.

Thanks, 

 

 

0 Helpful

atsukane
Level 1
Level 1
In response to atsukane

‎07-12-2023 01:30 AM

In the end, I've given up on Azure AD SAML and used the onprem NPS server with  Azure connecter. I used this method while we were on ASA and the same method still works.

I'll revisit the Azure AD SAML auth at later date when our MS guy comes back from holiday.

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee

‎07-12-2023 05:46 AM

The SP cert would be the SSL cert of the device (can be different as well, but in most deployments we keep it same as the SSL certificate of the device), and the Azure IDP cert will be the CA-Only trustpoint you created. 

From the log you shared "CA Only cert Azure-AD-IDP not allowed for SSL Global Identity Certificate".  It makes sense since you are trying to bind a trustpoint which doesn't have a ID cert, you would need to bind the trustpoint which has the ID cert for SSL and SP trustpoint in SAML SSO config

Customers Also Viewed These Support Documents