Let me start by saying I feel that we have really, really done our due dilligience on this issue, and we can't figure out the underlying issue. We've opened a ticket with Cisco and Microsoft, neither was conclusive.
We have AnyConnnect on an Azure ASAv, running LDAP authentication against a domain-controller VM in Azure. It's working great, no issues.
We are trying to enable SAML authentication directly to Azure AD with MFA. We have largely used these guides as a reference:
-
https://byteofsecurity.com/configure-azure-ad-saml-sso-with-cisco-asa/
-
https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/cisco-anyconnect
(although there are a few small updates due to changes in the Azure GUI).
As part of troubleshooting I tried to follow this as well: https://www.youtube.com/watch?v=bSGjeJotO2s (it works so well for her)
We are successful right up until the very final step by AnyConnect. We get the AnyConnect login screen, we get 2FA text message, and then just as it would normally connect we get the dreaded "Authentication failed due to problem retrieving the single sign-on cookie".
We know this is a well known bug, but we don't feel it's relevant to our environment: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605/?rfs=iqvred
-
we are running version 9.14(1) which is (allegedly) not an affected version.
-
we have done the workaround dozens of times during troubleshooting: 1) removing the tunnel-group SAML configuration, 2) removing the SAML configuration from the webvpn, 3) reapplying the SAML config to webvpn, 4) reapplying the SAML config to the tunnel group.
-
we have done a full reload, but have not experienced success.
nor is it this:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw77930 (a "." in the tunnel group name)
We have confirmed and/or tested all of the following, but none had any successf in fixing the issue:
-
confirmed that NTP is enabled in the ASAv. The time is correct, and it matches the AnyConnect client being used for testing.
-
we don't think this is a license issue, but we can't be 100% positive. When I look at currently active AnyConnect sessions, the license shows "AnyConnect Premium", which I'm pretty sure is Apex. So I think the license in use supports SAML. However, since this is an ASAv it uses SmartLicensing, and the SmartLicense portal has "AnyConnect Plus Licenses" configured, although the 'In Use' count shows 0. Unfortunately, if I try to obtain demo Apex licenses, the Cisco license portal doesn't recognize the serial number of an ASAv, presumably because it has to use SmartLicensing, so the license has to be "read" from the SmartLicense portal.
-
I have enabled "no force re-authentication" under SAML config (webvpn) and that tries to use the cached login of the browser. It's not really relevant to my testing because my laptop is not a member of the domain.
The really ironic part of this is that our own corporate ASA is successfully using SAML to Azure AD. We've compared the config, and other than Azure tenant ID's, the only real difference seems to be that the ASAv is not working.
Microsoft has basically said "everything is completing as expected right up until the connection is refused by AnyConnect". Their logs indicate success at every level until AnyConnect throws the error message.
Cisco and I have gone round with about 10 things for testing (some of which I have described above).
webvpn
{redacted for brevity; contains "anyconnect image disk0:...", "anyconnect enable", etc.}
saml idp https://sts.windows.net/blah-abcd-1234-5678-blah/
url sign-in https://login.microsoftonline.com/blah-abcd-1234-5678-blah/saml2
url sign-out https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0
base-url https://{this is the URL that users point AnyConnect to}
trustpoint idp AzureAD-IDP-Trustpoint
trustpoint sp TrustPoint_Anyconnect
no signature
force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable
tunnel-group TG_MFA type remote-access
tunnel-group TG_MFA general-attributes
address-pool POOL_AnyConnect
default-group-policy GP_MFA
tunnel-group TG_MFA webvpn-attributes
authentication saml
group-alias TestMFA enable
saml identity-provider https://sts.windows.net/blah-abcd-1234-5678-blah/
group-policy GP_MFA internal
group-policy GP_MFA attributes
dns-server value 172.16.0.4
vpn-idle-timeout 1440
vpn-session-timeout 5760
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnect_ST
default-domain value internal.local
address-pools value POOL_AnyConnect
Any assistance would be appreciated. But...I've done so much poking around and trying this, then trying that, I'm getting fatigued from testing.
No comments:
Post a Comment