We just discovered a method to connect Meraki VPN technology with SAML in Microsoft Azure. This pairing of technologies will propel our clients away from server-based business models and into serverless Azure environments. This is accomplished by creating a custom application in your Azure environment that connects the two. You can then assign a user or group of users to the application so that they can properly authenticate.
How to Enable Meraki VPN with SAML
For many years, the only way to authorize a VPN through Meraki was to configure LDAP or RADIUS (on a physical or virtual server) or create a local account on the firewall for VPN access. In cases where clients have authentication, LDAP and RADIUS are used to permit users to log in to the VPN using their domain credentials for the client site. This has been my preferred way of configuring VPNs because of the simplicity on the side of the user and the security that comes with domain security practices. The drawback has always been the requirement for a server (either on premises or in the cloud) to handle the authentication.
Up until now, there was no way to move clients to a fully serverless environment without moving VPN accounts to local accounts. As you can imagine, configuring local VPN accounts for 50+ users can seem daunting and is more difficult to maintain.
Users are able to establish a VPN connection using their pre-existing Office 365 email address and password when utilizing the AnyConnect VPN client with Meraki and SAML from Microsoft Azure. This also includes the option of Single Sign On, which adds even more convenience to the user’s experience. For the past several years, clients have been unable to migrate to cloud environments due to legacy software applications that are not supported in the cloud and scalable authentication for VPN connections that are scalable (local VPN users are supported but not scalable). The SAML authentication uses security groups similarly to domain security groups on a domain controller to maintain the familiar workflow.
Meraki Support
Keep in mind that only Meraki Support can enable the feature. Please contact Meraki Support in order to enable this feature. This feature is also exclusive to Meraki MX firmware versions 16.14+ or 17.5+.
The following link will take you to Meraki’s website with step-by-step instructions on how to set up SAML authentication for the AnyConnect VPN client for Meraki: https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration
Have any questions about enabling SAML authentication for Meraki VPN? Feel free to reach out to one of our IT and security experts at any time!
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.