topic Re: Firepower Threat Defense with Anyconnect and Azure MFA in Network Security

Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris — Thu, 14 May 2020 08:08:48 GMT

Hi,

I am planing to implement a MFA solution using Microsoft Azure Cloud and so far most of the Cisco guides using DUO as an example and I have not find a good guide for setting it up with Azure MFA.

The components we are using are.

FTD for AWS 6.4

ISE 2.4

Anyconnect 4.6

Microsoft AD + Azure Cloud MFA

Has anyone set up a solution using similar components and can point me to a guide?

FTD as the option "Use secondary authentication", but if I put the Azure MFA as secondary authentication server, would that mean ISE will be bypassed? I would still like to use ISE for logging purpose.

Best regards

/Chess

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Marius Gunnerud — Thu, 14 May 2020 18:44:52 GMT

I have set this up (at least the Cisco side of things) using ASA.

ASA has ISE as authentication server and in ISE set up an External Identity source (Radius Token). Other than that the configuration of AnyConnect is different on FTD I assume that the functionality, or how it works, is the same. On ASA at least there is no special configuration needed to get MFA to work. The popup window to enter the MFA code comes automatically when ISE requests additional authentication from the ASA.

But you are correct that there is not much easily findable documentation regarding this scenario with FTD.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn

Re: Firepower Threat Defense with Anyconnect and Azure MFA

giovanni.augusto — Thu, 14 May 2020 18:49:33 GMT

seems that MFA server is no longer supported:

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Marius Gunnerud — Thu, 14 May 2020 19:57:04 GMT

The poster is using Azure MFA as stated in his original post.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

giovanni.augusto — Thu, 14 May 2020 20:13:12 GMT

Of course,

I would like to ask if you are using NPS with Azure MFA agent or Azure MFA server (which I read is going out of support).

In any way what is your experience? with Azure MFA through ISE do you authenticate using RADIUS only or do you need to enable SAML?

Also in such scenario if you can apply any type or additional condition like location rules from the originating user.

Thanks

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris — Fri, 15 May 2020 06:44:42 GMT

Thank you Marius,

I believe that the VPN configuration would be the same on FTD as on the ASA, but I was told we need the "secondary authentication" function for MFA to work which is available in version 6.4. (See screenshot below)

But now I am thinking it might only be necessary in cases where there is no ISE server available.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

cfitzgerald — Mon, 06 Jul 2020 20:58:19 GMT

Hello @Chess Norris - did you ever get this implemented? I am also looking to integrate Azure MFA with AnyConnect and FTD. I also have an ISE server, but I don't think ISE can work with AzureMFA/SAML yet.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris — Wed, 15 Jul 2020 12:34:53 GMT

No success yet. I have just created a TAC case, but I am not too optimistic. Looks like DUO is the way to go.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris — Wed, 15 Jul 2020 12:35:18 GMT

@cfitzgerald We were able to get it to work finally. I was not involved in the NPS configuration, but the configuration in ISE was quite simple. We already added the NPS server as a "Radius token" in ISE and also created the authentication and authorization policy that matched the correct tunnel-group from FTD.

What we missed, was to add the radius token (NPS) server as an Identity Source Sequence in the All_User_ID_Store. After doing so, everything started to work.

/Chess

Re: Firepower Threat Defense with Anyconnect and Azure MFA

giovanni.augusto — Wed, 15 Jul 2020 13:26:59 GMT

Can you apply geolocation rules for authentication in Azure MFA?

Are you using Azure plugin in NPS?

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris — Thu, 16 Jul 2020 11:42:52 GMT

You should be able to add a geolocation rule if you want to block certain countrys for accessing the VPN portal or connect via Anyconnect.

I am not sure what they used on the Azure side. I was not part of that configuration.

/Chess

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Marvin Rhoads — Thu, 16 Jul 2020 19:16:11 GMT

The Geolocation rule feature in FTD is not available for use with traffic TO the firewall, only traffic THROUGH the firewall.

If the MFA solution has a Geolocation feature that can be used for this sort of protection.

I believe is Azure, that's done has described here:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

For those using Duo MFA, it also has this feature.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

alessandro.s — Mon, 26 Oct 2020 16:15:10 GMT

Hi @Chess Norris ,

Can you please specify if you used an on-premise NPS server or the NPS extension for Azure AD on cloud? I'm trying to prepare a testing environment for AnyConnect access with FTD using ISE and Microsoft Azure MFA on-cloud but i was not able to find any document about it.

Thanks in advance,

Alessandro

Re: Firepower Threat Defense with Anyconnect and Azure MFA

cfitzgerald — Mon, 26 Oct 2020 16:47:24 GMT

You have to use an on-prem NPS server with the Azure MFA extension installed on it.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

alessandro.s — Tue, 27 Oct 2020 13:58:16 GMT

Thanks,

i found some documents about this type of implementation, i'll test in the next days to see if it works!

Regards,

Re: Firepower Threat Defense with Anyconnect and Azure MFA

sysnet_striver — Mon, 07 Dec 2020 18:01:26 GMT

Hey Chess, we are also going to be attempting the implementation of Azure MFA (we have on premise AD that I have to join/sync with Azure AD) with our Anyconnect vpn and firepower 1120 FTD.

What I am trying to determine is if we have to purchase cisco ISE separately or does our FTD software or underlying firmware on our FP1120 have an embedded ISE server? This is a core component from what I have read.

Also I presume you had to configure a RADIUS sever to communicate with the NPS server - which I think would just be the Anyconnect host, no?

Thanks in advance.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Marvin Rhoads — Mon, 07 Dec 2020 18:43:36 GMT

@sysnet_striver Cisco ISE is not free. It is a licensed product and runs on its own separate server(s).

Re: Firepower Threat Defense with Anyconnect and Azure MFA

cfitzgerald — Mon, 07 Dec 2020 19:02:47 GMT

@sysnet_striver Cisco ISE is not free. It is a licensed product and runs on its own separate server(s).

You don't need ISE to integrate with Azure MFA. ISE is a RADIUS server, just like Microsoft's NPS server role. You will need an on-prem NPS server with the Azure MFA extension installed.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

sysnet_striver — Wed, 06 Jan 2021 03:56:36 GMT

After learning more about NAC, seems to me that ISE is not a must have as its functionality can be more or less achieved with Anyconnect and RADIUS/NPS server and Azure MFA.

Re: Firepower Threat Defense with Anyconnect and Azure MFA

Marvin Rhoads — Wed, 06 Jan 2021 07:07:08 GMT

Or, as of FTD 6.7, you can just use SAML directly to Azure for Authentication. Only if you want to do additional things with authorization would you need an on-premise solution for an Authorization services (e.g. Microsoft NPS or Cisco ISE).

More to come along this line when FTD 6.8 comes out...