02-24-2021 07:53 AM - edited 02-24-2021 09:00 AM
Good day!
I try to get AnyConnect working with Microsoft Azure MFA.
Cisco has a very useful article which I followed,
Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML - Cisco
But after the allowing login with the Authenticator, I get a Cisco AnyConnect Login window with XML in it. But no login.
This is the text:
<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://gw.loc.acme.com/saml/sp/metadata/AnyConnect-O365">
-<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="false">
-<KeyDescriptor use="signing">
-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-<ds:X509Data>
<ds:X509Certificate>Cert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/acs?tgname=AnyConnect-O365" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<SingleLogoutService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<SingleLogoutService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</SPSSODescriptor>
</EntityDescriptor>
I have enabled logging on the ASA:
[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365
#0x00007fae66ab8320 (POST). Request line:/saml/sp/metadata/AnyConnect-O365
#0x00007fae66ab8320 File to execute: /saml/sp/metadata/AnyConnect-O365
SAML AUTH: SAML hash table cleanup periodic task
What could I have done wrong?
Thanks!
- Jac
02-24-2021 09:40 AM
Hi Jac,
I have tested this and it works fine. Please review this doc from MS
https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/cisco-anyconnect
and video from our TME team
https://youtu.be/bSGjeJotO2s.
In most of the conditions, the issues are related to incorrect attributes.
If everything is set correctly, could you please do the test again with debugs enabled for SAML?
debug webvpn saml 255
debug webvpn anyconnect 255
Thank you,
Dinesh Moudgil
P.S. Please rate helpful posts.
Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
02-24-2021 11:07 AM
Thanks, Dinesh, for your reply!
I had already seen the configuration, it was essentially what I had done.
What I noticed in the video, was that she did this in webvpn
trustpoint idp AzureAD-AC-SAML
trustpoint sp AzureAD-AC-SAML
instead of
trustpoint idp AzureAD-AC-SAML
trustpoint sp gw_loc_acme_com.trustpoint
The last is what is suggested by the instructions.
When try again to login, I see this:
gw# debug webvpn saml 255
INFO: debug webvpn saml enabled at level 255.
gw# debug webvpn anyconnect 255
INFO: debug webvpn anyconnect enabled at level 255.
gw# SAML AUTH: SAML hash table cleanup periodic task
Feb 24 18:57:38 [Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=670:obj=unknown:subj=key != NULL:error=100:assertion:
Feb 24 18:57:38
[SAML] build_authnrequest:
https://login.microsoftonline.com/4ea20418....
[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
Feb 24 18:57:38 [Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=670:obj=unknown:subj=key != NULL:error=100:assertion:
There is the word 'error' in this line, but is it? And what does it mean?
- Jac
02-25-2021 04:20 AM
The error is due to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu66512/?rfs=iqvred
These messages show an authentication request
[SAML] build_authnrequest:
https://login.microsoftonline.com/4ea20418....
[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365
In response, you'd expect a SAML response from Azure. Can you please check what do you see on Azure with respect to this authentication request?
Also, if you have made any changes, please make sure to reapply the changes before testing further.
Please refer to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605/?rfs=iqvred
Thank you,
Dinesh Moudgil
01-11-2022 11:43 AM
Hello,
I had the same problem and I turned off Cisco AnyConnect from Enterprise Applications from Azure and re-enable it and did all configuration from scratch. After that it starts working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide