Using Azure Active Directory single sign-on (SSO) with Cisco AnyConnect

May 6, 2024

We have a lot of clients that leverage AnyConnect as a VPN client asking us to enable MFA on their VPN.  Most of them are already leveraging MFA utilizing Azure AD, so it makes sense to move their authentication to AAD from on-premise. 

There are advantages to moving to RADIUS from on-premise to Azure AD, using SAML:

  • Control in Azure AD who has access to Cisco AnyConnect with a bit more granularity. 
  • Enable your users to be automatically signed-in to Cisco AnyConnect with their Azure AD accounts. 
  • Manage your accounts centrally in the Azure portal. 
  • Simplified viewing and tracking of user logins without collecting logs form an Active Directory server. 

To get started, you need the following items:

1. An Azure AD subscription. If you don’t have one, you can get afree account here.

2. Cisco AnyConnect single sign-on (SSO) enabled subscription. The app is free form the gallery. 

3. Cisco ASA firmware 9.7(1) or higher – hopefully you’re above that!

Note, to support a load balanced VPN configuration, your ASA must be at ASA 9.16 at least. 

    Once you’re ready to go, the first step is to add The Cisco AnyConnect app to Azure AD form the Application Gallery. 

      1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 
      2. On the left navigation pane, select the Azure Active Directory service. 
      3. Navigate to Enterprise Applications and then select All Applications. 
      4. To add new application, select New application. 
      5. In the Add from the gallery section, type Cisco AnyConnect in the search box. 
      6. Select Cisco AnyConnect from results panel and then add the app. Wait a few seconds while the app is added to your tenant. 

    Now we have to configure and enable the AnyConnect Integration.

      1. In the Azure portal, on the Cisco AnyConnect application integration page, find the Manage section and select single sign-on. 
      2. On the Select a single sign-on method page, select SAML. 
      3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings. 
    set-up-single-sign-on-with-SAML

    4. On the Set up single sign-on with SAML page, enter the values for the following fields:

    In the Identifier text box, type a URL using the following pattern:

    Identifier-text-box-script

    In the Reply URL text box, type a URL using the following pattern:

    Reply-box-script

    Note: <Tunnel_Group_Name> is case-sensitive and the value must not contain dots “.” and slashes “/”.

    You will also need to create an app for each tunnel-group you have if you are using multiple profiles.

    5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate file and save it on your computer

    tunnel-group-app-creation-SAML

    6. On the Set up Cisco AnyConnect section, copy the appropriate URL(s) based on your requirement.

    Now we need to add either a test user or the group we want to enable for the VPN to the Cisco AnyConnect application.

      1. In the Azure portal, select Enterprise Applications, then select All applications.
      2. In the applications list, select Cisco AnyConnect.
      3. In the app’s overview page, find the Managesection and select Users and groups.
      4. Select Add user, then select Users and groups in the Add Assignment
      5. In the Users and groups dialog, select your test user or VPN group from the Users list, then click the Select button at the bottom of the screen.
      6. If you are expecting a role to be assigned to the users, you can select it from Select a Role. If no role has been set up for this app, you see “Default Access” role selected. Normally there is no additional role to assign.
      7. In the Add Assignment dialog, click the Assign

    Now we’re configuring the ASA for SAML auth.  CLI is the fastest but it can be done with the aSDM, that will be another article later.

     

    1. First you will create a Trustpoint and import our SAML cert.

    create-trustpoint-and-import-SAML-cert

    2. The following commands will provision your SAML IdP.

    provision-your-SAML-IdP

    3. Now you can apply SAML Authentication to a VPN Tunnel Configuration.

    apply-SAML-authentication-to-VPN-tunnel-Configuration

    4. Then apply it to your tunnel group and you’re set.  When you log in to that tunnel group, you’ll be re-directed to an Azure sign in.

    apply-SAML-authentication-to-VPN-tunnel-configuration
    redirected-to-azure-sign-in

    If you need to make changes to the IdP configuration, like update the idP certificate, you need to remove the SAML identity-provider configuration from your Tunnel Group and re-apply it for the changes to become effective.