topic Re: ISE Integration - Azure MFA (Cloud Only Deployment) in Network Access Control

ISE Integration - Azure MFA (Cloud Only Deployment)

Sloanstar — Thu, 12 Jul 2018 16:09:23 GMT

Looking into an Azure MFA Cloud deployment and there seems to be some specific NPS server requirements if we want to leverage the solution, at least according to Microsoft.

Documentation:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

We already have an enterprise solution for RADIUS (ISE), scaling out another set of servers/infrastructure for this simple purpose is undesirable. Has anyone deployed this using ISE (not sure that's possible)? Is the PD team working with Microsoft PD to provide a solution using ISE?

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

kvenkata1 — Thu, 12 Jul 2018 22:59:00 GMT

Please take a look at this post

ISE using Azure MFA and AD

- Krish

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

kvenkata1 — Thu, 12 Jul 2018 23:05:45 GMT

One more post on the same topic.

ISE Authentication to Azure MFA - RADIUS PAP Only?

- Krish

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

Sloanstar — Fri, 13 Jul 2018 21:02:13 GMT

Thanks Krish, these cover what Microsoft terms Hybrid MFA deployment requiring an MFA server on premise. For Cloud MFA, that's where the NPS servers come in. Any chance to get the ISE team to talk with Microsoft to see what would be required to get the NPS capability into ISE?

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

hslai — Sat, 14 Jul 2018 16:48:33 GMT

Thanks a lot for your post. I will relay your inquiry to our product management team. Please note that ISE not currently supporting multiple authentications other than EAP chaining and CWA chaining.

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

Sloanstar — Mon, 16 Jul 2018 13:37:28 GMT

This seems more of a RADIUS proxy configuration, but there also seems to be some https calls that are exchanged as well, perhaps for azure account verification? MS would need to fill in the blanks. Thanks for passing it along.

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

mumustha — Thu, 15 Aug 2019 04:32:26 GMT

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

usmcjohn — Tue, 11 Feb 2020 11:07:25 GMT

We leverage Azure MFA for ISE/TACACS authentication. We had it setup in ACS 5.4 and migrated it to ISE. Simple to setup. We verify an network engineer is in the correct AD group and prompt them for second factor before they can log into a CLI for switch/router as well for web gui's on cisco prime and wireless controllers.

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

bmoore821 — Thu, 02 Apr 2020 01:07:08 GMT

Do you by chance have any documentation?

We are trying to set up Azure MFA with our ISE deployment. We are not seeing any documentation on how to build this out.

from my understanding today, I feel we will need to deploy Azure MFA cloud base (which seems the only way to have MFA in azure), then we would build a windows server with NPS. The NPS servers would have all my configuration for 2-factor and I would point ISE to the NPS server.

Anything will be of help. We have reached out to MS FastTrack team and it feels they are learning how to deploy this with us.

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

bhatel — Tue, 26 Oct 2021 14:31:05 GMT

@usmcjohn

Would you mind sharing any documentation for Azure MFA for ISE/TACACS authentication. Pieces of documentation should help too, it no need to be a consolidated one. Hard to find any related documentation in the community so any help from your side would be greatly appreciated.

We are thinking between DUO vs AZ MFA.

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

thomas — Mon, 13 Dec 2021 21:38:51 GMT

Please see our ISE Security Ecosystem Integration Guides >

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

AbyLauranceCherian0059 — Mon, 28 Feb 2022 02:14:29 GMT

Has anyone checked using this method. I also want to confirm whether below is possible for TACACS+ device administration

ISE --> NPS Server --> Azure AD for MFA and Active Directory

Re: ISE Integration - Azure MFA (Cloud Only Deployment)

Aomar bahloul — Thu, 30 Mar 2023 21:31:33 GMT

Hi,

Can you elaborate more on your setup. Are you using NPS with Azure MFA extension? if so are you able to get the OTP (one-time password) to work? MS will enforce number matching by May of 2023 and the Accept/Deny push notification will stop working. Only number matching and OPT will be allowed. I was able to get ISE to work with NPS + Azure MFA extension with push notification but it stops working when I switch to OTP. On my case I can see the NPS sending a challenge with the code but ISE ignores it and keeps sending access requests