topic Re: Cisco AnyConnect - M365 authentication possibilities in Network Access Control

Cisco AnyConnect - M365 authentication possibilities

Amen — Mon, 16 May 2022 15:28:06 GMT

Would like to request information on the integration possibilities of AnyConnect with Microsoft 365 user authentication.

So far it looks like it is possible via SAML, just want to make sure we're not missing anything.

Re: Cisco AnyConnect - M365 authentication possibilities

ahollifield — Mon, 16 May 2022 16:04:15 GMT

AnyConnect NAM client 802.1X authentication to ISE? AnyConnect VPN to ASA/FTD? AzureAD/ADFS?

Re: Cisco AnyConnect - M365 authentication possibilities

Marvin Rhoads — Tue, 17 May 2022 15:49:40 GMT

The AnyConnect VPN client can authenticate to Azure AD via SAML. You can also incorporate Microsoft Authenticator MFA in this scenario.

You can also run a hybrid solution using Microsoft NPS on premises with the Azure plug-in and use Microsoft MFA that way.

Thirdly you could use Duo SSO integrated with Azure AD.

Re: Cisco AnyConnect - M365 authentication possibilities

Amen — Wed, 18 May 2022 08:02:24 GMT

I'm also just learning about the M365/AzureAD (AAD) capabilities, but hopefully, we will find something together.

In our PoC environment, we have proven that AnyConnect with the external browser could authenticate straight away against AAD using SAML, but this is where the next challenge comes: if at all possible, we would like to use a single sign-on experience on the AzureAD joined devices, namely we would like skip the re-authentication (username+password) of the user and just prompt for multi-factor authentication before the user would be allowed to bring up the VPN.

Cisco provides the AnyConnect app in AzureAD, I wonder if there is any associated documentation on the topic, particularly on the SSO side.

Re: Cisco AnyConnect - M365 authentication possibilities

Marvin Rhoads — Wed, 18 May 2022 18:57:44 GMT

Form memory, when you configure the SAML iDP from FMC there is an option to check the box to not require reauthentication. HAve you tried that?

Re: Cisco AnyConnect - M365 authentication possibilities

Amen — Fri, 20 May 2022 07:22:51 GMT

From SAML authentication's perspective Azure AD is an Identity Provider (IdP), just like ADFS, DUO, etc.

What we want to do is the best possible integration between AnyConnect and Azure AD, where the user can establish the VPN connection with the least amount of interactions, still with the best security.

We're trying to achieve that AnyConnect authenticates the user based on the Windows session against AzureAD (so there's no new username and password requested after the user logged in Windows) and gets connected after a single MFA approval.

MFA is still requested to make sure that if someone tries to connect from a stolen laptop even with a leaked username/password, connection to corporate resources would not be possible.

any Ideas?

Re: Cisco AnyConnect - M365 authentication possibilities

Amen — Fri, 20 May 2022 09:20:42 GMT

Can this be enough?

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect