Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3700
Views
0
Helpful
4
Replies

Trying to get AnyConnect working with Microsoft Azure MFA

buggy1
Level 1
Level 1

‎02-24-2021 07:53 AM - edited ‎02-24-2021 09:00 AM

Good day!

 

I try to get AnyConnect working with Microsoft Azure MFA.

Cisco has a very useful article which I followed,

Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML - Cisco

But after the allowing login with the Authenticator, I get a Cisco AnyConnect Login window with XML in it. But no login.

This is the text:

<?xml version="1.0" encoding="UTF-8" standalone="true"?>

-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://gw.loc.acme.com/saml/sp/metadata/AnyConnect-O365">


-<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="false">


-<KeyDescriptor use="signing">


-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">


-<ds:X509Data>

<ds:X509Certificate>Cert
</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>

<AssertionConsumerService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/acs?tgname=AnyConnect-O365" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>

<SingleLogoutService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<SingleLogoutService Location="https://gw.loc.acme.com/+CSCOE+/saml/sp/logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

</SPSSODescriptor>

</EntityDescriptor>

 

I have enabled logging on the ASA:

[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365
#0x00007fae66ab8320 (POST). Request line:/saml/sp/metadata/AnyConnect-O365
#0x00007fae66ab8320 File to execute: /saml/sp/metadata/AnyConnect-O365
SAML AUTH: SAML hash table cleanup periodic task

 

What could I have done wrong?

Thanks!

 

- Jac

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎02-24-2021 09:40 AM

Hi Jac,

 

I have tested this and it works fine. Please review this doc from MS
https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/cisco-anyconnect
and video from our TME team
https://youtu.be/bSGjeJotO2s. 
In most of the conditions, the issues are related to incorrect attributes.

 

If everything is set correctly, could you please do the test again with debugs enabled for SAML?

 

debug webvpn saml 255

debug webvpn anyconnect 255

 

 

Thank you,

Dinesh Moudgil

 

P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

buggy1
Level 1
Level 1
In response to Dinesh Moudgil

‎02-24-2021 11:07 AM

Thanks, Dinesh, for your reply!

 

I had already seen the configuration, it was essentially what I had done.

What I noticed in the video, was that she did this in webvpn
trustpoint idp AzureAD-AC-SAML
trustpoint sp AzureAD-AC-SAML

instead of

trustpoint idp AzureAD-AC-SAML
trustpoint sp gw_loc_acme_com.trustpoint

The last is what is suggested by the instructions.

 

When try again to login, I see this:

gw# debug webvpn saml 255
INFO: debug webvpn saml enabled at level 255.
gw# debug webvpn anyconnect 255
INFO: debug webvpn anyconnect enabled at level 255.
gw# SAML AUTH: SAML hash table cleanup periodic task
Feb 24 18:57:38 [Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=670:obj=unknown:subj=key != NULL:error=100:assertion:

Feb 24 18:57:38
[SAML] build_authnrequest:
https://login.microsoftonline.com/4ea20418....
[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task

 

Feb 24 18:57:38 [Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=670:obj=unknown:subj=key != NULL:error=100:assertion:

There is the word 'error' in this line, but is it? And what does it mean?

 

- Jac

 

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to buggy1

‎02-25-2021 04:20 AM

The error is due to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu66512/?rfs=iqvred

 

These messages show an authentication request

[SAML] build_authnrequest:
https://login.microsoftonline.com/4ea20418....
[SAML] saml_is_idp_internal: getting SAML config for tg AnyConnect-O365

 

In response, you'd expect a SAML response from Azure.  Can you please check what do you see on Azure with respect to this authentication request?

 

Also, if you have made any changes, please make sure to reapply the changes before testing further.
Please refer to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605/?rfs=iqvred

 

Thank you,

Dinesh Moudgil

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

onrokms
Level 1
Level 1
In response to buggy1

‎01-11-2022 11:43 AM

Hello,

 

I had the same problem and I turned off Cisco AnyConnect from Enterprise Applications from Azure and re-enable it and did all configuration from scratch. After that it starts working

0 Helpful
Customers Also Viewed These Support Documents