topic Re: Best way to integrate ASA/ISE/Azure AD for MFA? in Network Access Control

Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris — Tue, 10 Mar 2020 20:14:16 GMT

I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE.

Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.)
Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc.
Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Cristian Matei — Mon, 16 Mar 2020 19:29:32 GMT

Hi,

If you find option 3 to be best for you, yes, you can use SAML authentication and RADIUS/ISE authorization.

Regards,

Cristian Matei.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

ivanindic — Fri, 27 Nov 2020 13:57:49 GMT

Hi Cristian,

I am looking forward for the option 3 which should now be supported from the ISE 3.0. 🙂

Can you guide me to some configured guide from Cisco which I could follow to set it up? (ASA - ISE - SAML IdP with Azure AD and Azure MFA)

I came across the limitation that Azure MFA is for ISE web portal auth only. Does it means I can't use it for Windows Always-On VPN with Anyconnect?

What would be the alternative to use? E.g. Duo instead of ISE to interconnect the ASA VPN termination through Duo with Microsoft MFA.

Thx.

Ivan

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Arjun Bhamra — Fri, 08 Jan 2021 18:40:57 GMT

Is there any Cisco documentation, that is non duo based and fully caters to Any connect--Azure-Saml-ASA and ISE for authorization.Hoping we do need to spend time with TAC.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Spyros Kasapis — Fri, 17 Sep 2021 11:07:14 GMT

Any update ?

The Azure AD ROPC works only with 802.1X correct ?

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris — Fri, 17 Sep 2021 13:31:22 GMT

I ended up taking option # 3 and its working very well. ISE is acting as an authorization only server. Azure is performing authentication and conditional access. I honestly think that is a great solution.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Spyros Kasapis — Fri, 17 Sep 2021 13:51:37 GMT

thank you !!

i will try it .

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Arjun Bhamra — Fri, 17 Sep 2021 19:50:15 GMT

Hi Josh,

Do you have any documentation, as to how, you used ISE for authorization in this azure ASA saml scenario option 3 for Anyconnect ?

I get failed authorizations on the UPN name in ISE , as email/UPN auths are done by azure AD.

Any info is appreciated.

Thank you

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris — Fri, 17 Sep 2021 20:31:31 GMT

If you're using FTD, you must define the SAML server for authentication, and an authorize-only server for ISE authorization and accounting. This tripped me up when I first tried. With this setup, authentication is first sent to Azure. if accepted, FTD then sends authorization only request to ISE.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Arjun Bhamra — Fri, 17 Sep 2021 20:50:48 GMT

Thank you Josh,

We do not use FTD, but we use ASA, ISE is selected as Authorization for Any connect connection profile. MFA is working fine, but for now failed authorizations are indicators of the connections. May be a TAC case needs to be opened.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris — Mon, 20 Sep 2021 13:00:32 GMT

What is your ISE log saying is the cause of the authorization failure? Can you share the log?

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Steve Chapman — Tue, 16 Nov 2021 23:10:31 GMT

I have the same issue MFA is working but fail authorization with the following

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType (2 times)
	15048	Queried PIP - Airespace.Airespace-Wlan-Id
	15048	Queried PIP - DEVICE.Device Type
	15041	Evaluating Identity Policy
	22072	Selected identity source sequence - AD_Cert_local
	15013	Selected Identity Source - Internal Users
	24210	Looking up User in Internal Users IDStore - chapmanst@umsystem.edu
	24212	Found User in Internal Users IDStore
	24430	Authenticating user against Active Directory - AD1
	24325	Resolving identity - chapmanst@umsystem.edu
	24313	Search for matching accounts at join point - stl.umsl.edu
	24319	Single matching account found in forest - umad.umsystem.edu
	24323	Identity resolution detected single matching account
	24344	RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,chapmanst@umad.umsystem.edu
	24408	User authentication against Active Directory failed since user has entered the wrong password - AD1
	22057	The advanced option that is configured for a failed authentication request is used
	22061	The 'Reject' advanced option is configured in case of a failed authentication request
	11003	Returned RADIUS Access-Reject

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

jan.nielsen — Thu, 02 Jun 2022 07:51:53 GMT

Did you check if you are getting live sessions for your MFA authenticated users, when only using ISE for Authz? I want to do this as well, but i am also doing pxgrid session sharing, so i need ISE to build and maintain sessions with user/mac/ip mappings.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Arun2022 — Sun, 14 Aug 2022 23:28:52 GMT

Hi @Josh Morris , I am attempting to setup a similar solution. The radius token server doesn't seem to be possible as Microsoft doesn't allow the option to install the MFA server on the on-prem domain controller anymore : Getting started Azure MFA Server - Azure Active Directory - Microsoft Entra | Microsoft Docs.

It would be great if you can share more details or any reference documents that you've used for option 3.

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris — Wed, 17 Aug 2022 13:55:55 GMT

I ended up going option 3, but moved away from ASA and am doing it on FTD. I still think you can do all of this on ASA though. I have a single SSO profile that I use with multiple VPN connection profiles. The SSO profile uses the base url (lets call it vpn.domain.com), but you can setup multiple Azure Enterprise Applications using SSO. For example, we have one for employees and another for vendors. The differentiating factors are the use of the connection profile names in the Identifier and Reply URL fields. Maybe the attached diagram will help.

After Azure returns an authentication accept, FMC uses the ISE Radius profile to send authorization request. The key is that in this particular profile, there is a box I checked called 'Enable Authorize only'. So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example).

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Gavin Webb — Wed, 01 Feb 2023 13:08:31 GMT

Hi Josh

When setting up the multiple Enterprise Apps in Azure are you using the SAML certificates that get generated by Azure itself or have you uploaded a certificate that was issued by an External CA to each of your apps so they all have the same certificate?

Thanks

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

lilimtzrmz — Wed, 30 Aug 2023 22:47:40 GMT

So did you configure in Asa Azure as authentication server and ISE as radius server? Would you mind tell me how did you configured cisco ISE policy? Authentication like if fails continue, etc?

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

lilimtzrmz — Wed, 30 Aug 2023 23:24:39 GMT

How should ise portion be configured (authentication)?

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

Greg Gibbs — Thu, 31 Aug 2023 03:32:59 GMT

The flow for this would be:

ASA <-> AzureAD SAML + MFA (optional) <-> ISE AuthZ Only

With the ASA configured to use ISE for AuthZ Only, the Authentication Policy in ISE will be bypassed. As such, the default authC policy can be set to DenyAccess and the flow will still work.

Example ASA config from my lab using ISE 3.2

tunnel-group sslvpn-saml32 type remote-access
tunnel-group sslvpn-saml32 general-attributes
address-pool vpnpool
authorization-server-group ISE32_RAD
default-group-policy GroupPolicy_sslvpn-saml32
tunnel-group sslvpn-saml32 webvpn-attributes
authentication saml
group-alias sslvpn-saml32 enable
saml identity-provider https://sts.windows.net/xxx
!
aaa-server ISE32_RAD protocol radius
authorize-only
interim-accounting-update
dynamic-authorization
aaa-server ISE32_RAD (management) host 192.168.222.52
key *****
authentication-port 1812
accounting-port 1813

Re: Best way to integrate ASA/ISE/Azure AD for MFA?

lilimtzrmz — Thu, 31 Aug 2023 03:53:29 GMT

Thanks for the information... <span;>Under this scenario is it possible to implement posture also? Is there any cisco document in which I can consult the traffic? I wanna know how Asa pass the authorization request to ISE