https://community.cisco.com/t5/network-access-control/ise-authentication-to-azure-mfa-radius-pap-only/m-p/3461413#M510888 <HTML><HEAD></HEAD><BODY><P>We would like to use Azure MFA when authenticating Anyconnect users on ASA, while also doing Posture and DACL's based on AD membership.&nbsp; <SPAN style="font-size: 10pt;">Using this doc as reference:&nbsp; </SPAN><A href="https://community.cisco.com/docs/DOC-76856">Multi-Factor Authentication with ISE.pdf</A></P><P></P><P>(1)&nbsp; Evidently MFA supports MSCHAPv2, but we only support PAP for RADIUS token servers.&nbsp; Can you verify if this is accurate?&nbsp;&nbsp; <A href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius" title="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius">https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius</A></P><P></P><P>(2)&nbsp; If true, is there any way to support MFA where we don't send full AD credentials to it?&nbsp; Any other design where we don't have to rely on PAP?</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 10 Apr 2018 23:08:44 GMT David Mitchell 2018-04-10T23:08:44Z https://community.cisco.com/t5/network-access-control/ise-authentication-to-azure-mfa-radius-pap-only/m-p/3461413#M510888 <HTML><HEAD></HEAD><BODY><P>We would like to use Azure MFA when authenticating Anyconnect users on ASA, while also doing Posture and DACL's based on AD membership.&nbsp; <SPAN style="font-size: 10pt;">Using this doc as reference:&nbsp; </SPAN><A href="https://community.cisco.com/docs/DOC-76856">Multi-Factor Authentication with ISE.pdf</A></P><P></P><P>(1)&nbsp; Evidently MFA supports MSCHAPv2, but we only support PAP for RADIUS token servers.&nbsp; Can you verify if this is accurate?&nbsp;&nbsp; <A href="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius" title="https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius">https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius</A></P><P></P><P>(2)&nbsp; If true, is there any way to support MFA where we don't send full AD credentials to it?&nbsp; Any other design where we don't have to rely on PAP?</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 10 Apr 2018 23:08:44 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-to-azure-mfa-radius-pap-only/m-p/3461413#M510888 David Mitchell 2018-04-10T23:08:44Z https://community.cisco.com/t5/network-access-control/ise-authentication-to-azure-mfa-radius-pap-only/m-p/3461414#M510889 <HTML><HEAD></HEAD><BODY><P>ASA supports multiple authentications so you could either using Azure as RADIUS server or SAMLv2 IdP directly with ASA as the first authentication and then authorize-only on ISE.</P><P></P><P>ISE protcol support is shown in Table 2 of <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5">Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Users and External Identity Sources [Cisco Ide…</A></P><P></P><P>So ISE supports EAP-GTC and PAP with token ID sources.</P></BODY></HTML> Wed, 11 Apr 2018 03:26:34 GMT https://community.cisco.com/t5/network-access-control/ise-authentication-to-azure-mfa-radius-pap-only/m-p/3461414#M510889 hslai 2018-04-11T03:26:34Z