topic Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD in Network Access Control

How to implement Cisco ISE as Microsoft NPS to carry out Azure AD MFA

tonyang — Mon, 17 Apr 2023 03:52:21 GMT

I would like to see if it's possible to integrate Cisco ISE with Azure AD Multi-Factor authentication. Now I'm using Network Policy Server (NPS) to do Azure AD Multi-Factor authentication. Here is the netflow and configuration for easy understanding.

Use Azure AD Multi-Factor Authentication with NPS - Microsoft Entra | Microsoft Learn

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

Greg Gibbs — Mon, 17 Apr 2023 05:40:07 GMT

ISE cannot simply take the place of NPS in this flow as it does not have a function to integrate with Azure AD MFA like the NPS extension.

Depending on what Use Case you are working with (VPN, Wired, Wireless, Device Admin, etc), you could configure ISE to use your existing NPS as a RADIUS Proxy. ISE would forward the RADIUS/TACACS+ requests to NPS to handle the Authentication + MFA, then ISE could perform the Authorization only piece based on the response from NPS.

If you are looking at the VPN use case, you could also have a Cisco ASA/FTD VPN headend perform the authentication via SAML + Azure MFA part itself and use ISE for the Authorization only part of the flow.

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

tonyang — Mon, 17 Apr 2023 08:51:52 GMT

Thanks for your advice, Greg.

F5 VPN is my use case. Is it possible to share more details on how to have a Cisco ASA/FTD VPN headend perform the authentication via SAML + Azure MFA part itself and use ISE for the Authorization only part of the flow ?

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

Greg Gibbs — Mon, 17 Apr 2023 22:51:48 GMT

I'm not aware of a single document that includes the entire flow, but you could use a combination of concepts from the following documents:
Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Integrate Azure MFA with Cisco AnyConnect VPN (does not properly use the tunnel-group 'authorize only' config)

VPN certificate auth using ISE? (discusses proper use of the tunnel-group 'authorize only' config)

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

tonyang — Wed, 19 Apr 2023 03:18:02 GMT

Do you mean I need to add Cisco AnyConnect into Cisco ISE as external radius servers ? The flow is from F5 VPN - Cisco ISE PSN - Cisco AnyConnect - Azure AD, isn't it ?

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

samir-rana — Tue, 10 Sep 2024 21:28:31 GMT

Greg, Is there any document which can help to use for Device Admin which configure ISE to use existing NPS as a RADIUS Proxy. ISE would forward the RADIUS/TACACS+ requests to NPS to handle the Authentication + MFA, then ISE could perform the Authorization only piece based on the response from NPS

Re: How to implement Cisco ISE as Microsoft NPS to carry out Azure AD

Greg Gibbs — Tue, 10 Sep 2024 22:56:03 GMT

From the ISE perspective, the RADIUS Token piece would be similar to this example using Duo.
https://community.cisco.com/t5/security-knowledge-base/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231