https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326812#M1122542 <P>we have working solution live</P> <P>ASA + MFA saml working as expected.</P> <P>reference :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html</A></P> Wed, 03 Sep 2025 12:59:26 GMT balaji.bandi 2025-09-03T12:59:26Z https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326422#M1122524 <P>Hello everyone,</P><P>I need your advice on integrating Microsoft Authenticator (Azure MFA) with my Cisco Always-On VPN setup.</P><P>My current setup:</P><P>Cisco ASA with SSL VPN (AnyConnect Secure Client, Always-On enabled)<BR />Cisco ISE for authentication and authorization<BR />Active Directory (DNS, domain domain.de)<BR />Internal CA (certificates issued for users)<BR />Group Policy: AOV (used for SSL VPN clients)<BR />Configuration details (short version):</P><P>&nbsp;</P><P>On ASA:<BR />Connection profile: authentication method = certificate only (Primary field = UPN)<BR />AAA server group = ISE<BR />Address pools, DNS servers, split-tunneling list applied<BR />Always-On enabled, start before logon, auto-reconnect configured</P><P>On ISE:<BR />External identity source = AD (domain.de)<BR />Authorization Profile: AOV → ASA VPN group policy = AOV<BR />Policy Set: conditions = ASA as network device + Tunnel Group = AOV<BR />Authentication protocols allowed: PAP, MSCHAPv2<BR />So far, authentication works fine with AD + certificates.</P><P>What I want to add:<BR />Second factor authentication with Microsoft Authenticator (Azure MFA) for Always-On VPN users.</P><P>My questions:<BR />What is the recommended way to integrate ASA + ISE with Microsoft MFA?<BR />Should I use Azure MFA NPS Extension (ISE → NPS → Azure MFA)?<BR />Has anyone deployed this in production, and can share best practices?<BR />Keep Always-On VPN (certificate + AD) but enforce MFA with Microsoft Authenticator for the AOV group.</P><P>Thanks in advance for your guidance!</P> Tue, 02 Sep 2025 12:26:21 GMT https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326422#M1122524 divas80 2025-09-02T12:26:21Z https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326787#M1122538 <P>Have you considered using SAML to Entra ID instead of bothering with ISE at all?</P> Wed, 03 Sep 2025 12:08:48 GMT https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326787#M1122538 ahollifield 2025-09-03T12:08:48Z https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326812#M1122542 <P>we have working solution live</P> <P>ASA + MFA saml working as expected.</P> <P>reference :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html</A></P> Wed, 03 Sep 2025 12:59:26 GMT https://community.cisco.com/t5/network-security/asa-azure-mfa-question/m-p/5326812#M1122542 balaji.bandi 2025-09-03T12:59:26Z