on 01-12-2018 08:54 AM - edited on 02-23-2022 08:32 AM by thomas
Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.
I have followed this guide, but Azure MFA is still not functioning with ISE. When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately.
@McDVOICE wrote:Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.
When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately.
We use the MFA on-prem we are moving to a off-prem server. I have not tested it yet but we have a direct connection to where the off-prem is going to be.
We do not use TACACS for device access, I have found that with this configuration it does not work. I have not had time to work on that part.
With Anyconnect if you use codes the ASA will ask for a code as well as Cisco devices that are being accessed with multifactor as long as you are using RADIUS and PAP_ASCII, in the ISE documentation the last time I looked MSCHAP V2 does not support an external radius server.
I am going to change the email address I use for these because it is an older one. If you guys could show me how you have your MFA server configured and what protocol you are using (TACACS or RADIUS) that may help. I will take that info and update the document.
Hi Richard,
Have you managed to test integration of ISE and Cloud Azure MFA? We have a solution we would like to test and it involves ASA, ISE 2.4, Anyconnect and Cloud Azure.
Thanks
Hi tebogo pholo1, We currently use an on prem MFA. We are moving to a Cloud Azure MFA but we have a direct connect so it should just be us pointing to the new server IPs. Our cloud MFA server is going to be built just like our on prem MFA server. When we do make that change I can update this and let you know how it went. We were going to test it before the whole Covid 19 thing. The way I test the MFA servers is with a test ISE appliance and some other devices like an ASA or switch and have it directly to the MFA server.
@Richard Lucht wrote:Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.
Hi Richard,
Have you tested your ISE with cloud Azure MFA yet? we're also investigating this setting. However, Cisco rep told us that ISE can't send 2nd authentication request to Cloud Azure MFA. look forward to your response.
Thanks,
Vanessa
We just setup the new cloud Azure connection. Right now we are going over fail over testing with the 2 servers. We are experiencing some issues during the fail over. We are adjusting our timers to see if we can get this to work properly. I will provided some documentation on the setup. On the ISE side I just set the servers up as another RADIUS Token Server.
Hi Richard,
Do you have a virtual server at Azure cloud side which does MFA? Or do you use MFA service at Azure cloud?
We're using Azure MFA service, it seems that we can't set up it as another Radius Token server on ISE.
Thanks,
Vanessa
Hi @Richard Lucht ,
How did you go with Azure cloud MFA? Could you suggest if there are any updates to the provided setps listed in PDF.
Hi @suschoud
I really need to check my settings here I am not getting emails on comments. Our testing went well we had to adjust our timers on the ASA and ISE. We will be moving to the Azure Cloud MFA soon.
Hi @Richard Lucht , We have a similar situation and want to integrate ISE 2.4 with Microsoft Cloud Azure for 2fa authentication. Did you manage to get this working in your environment? If yes can you please advise how did you get this working
I know this is an older post, but I too am curious about getting Anyconnect connecting to ASA (soon to be FTD/Secure Firewall) authenticating through ISE using Azure Cloud MFA.
Most things I have read up to know say that you configure the ASA to do the actual AzureMFA call, and let ISE do the authorization piece.
Which itself, seems to be ok, however, my concern is that we use ISE-PIC PxGrid to also coordinate user to IP mapping for FMC based URL filtering. So if ISE isn't doing the actual RADIUS authentication for users (in this specific case VPN users) how does ISE/FMC track that mapping?
Ok so my only experience with what you are trying to achieve is that the authentication in ISE will handle the multifactor. I kept it off the ASA.
I did integrate FortiManager to ISE using PXGrid and then associate the user to a SGT. Those tags then can be populated in the FortiManager to tie usernames to IPs. That is where we could use those tags as source rules in the FortiManager instead of IP addresses. This has been some time since I have been able to work on this.
Authentication rules has the call out to the MFA radius server and then the Authorization rule assigned the SGT. SGT are populated in Forti firewalls through fortimanager and rules can be made.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: