ISE problem with MFA

Micinel — Thu, 03 Oct 2024 14:13:09 GMT

Hello,

Hope you are doing well.

I have an interesting case that has been bothering me for over a month. Long story short - We did migration on customer ISE deployment from 2.7 to 3.2. Everything works correctly except VPN connection to customer network. We are using Firepower 4k as a VPN gateway.

Scenario:

External or internal users, it doesn't matter who wants to connect to the network via AnyConnect VPN. User should enter the crendetials, receive an MFA notification (cuz we are using Microsoft MFA) and after confirmation gain access to the network. But some type of users receive additional notifications from Microsoft MFA even if they have already been connected to the network. For example 2-3 times gets another notification for allow from MFA after successful authentication.

There are also some type of users who which do not reach the network at all, even if they receives a notification from the MFA and successfully authenticates according to it. Gets an error - specifically from the MFA log:

MFA denied; user did not respond to mobile app notification
MFA denied; duplicate authentication attempt

As far as I understand, MFA sends as many notifications as it receives requests from the radius server. The strange thing is that after switching the VPN to the old ISE, everything works correctly. Both new and old ISEs have an identical configuration.

I'm already solving it with TAC, but it's a bit stagnant at the moment, so I want to ask if anyone has encountered a similar scenario?

Thanks.

Michal

topic ISE problem with MFA in Network Access Control

ISE problem with MFA