cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1598
Views
5
Helpful
1
Replies

Cisco ISE/Anyconnect/FTD & Envoy MFA

IamSamSaul
Level 1
Level 1

Hi there,

 

I got the following setup:

 

Cisco ISE

Cisco VPN Anyconnect

Cisco FTD

Envoy MFA

 

At this moment the Cisco VPN Anyconnect VPN+FTD+Envoy MFA is working. I want to add Cisco ISE. I have tried several ways but I'm not getting the field of "second code" when I try to login with Cisco Anyconnect VPN. I created an Internal Identities with Microsoft AD and Envoy MFA and then added it to "Authentication" under policy set but it's not working. I have tried to add them as External Radius Identities but with no luck. 

 

I have looked at Envoy.help website but their integration with Cisco ISE is with Guest Portal. 

 

I hope someone got any idea or using the same product and help me in right direction.

 

Thanks & Regards,

 

Sam 

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi Sam,

I haven't used Envoy MFA, but I would assume it supports RADIUS as a protocol (as most MFA solutions do). If that is the case, your traffic flow would be:

PC with AnyConnect -> FTD -> ISE -> Envoy MFA [ quite possible -> AD/LDAP ]

In this scenario, FTD would pass authentication request to ISE, which would forward it to Envoy MFA solution. MFA would do its job and authenticate client, on both factors (ISE can either forward entire authentication request or authenticate it itself, can't do one factor and forward second). After authenticating client, MFA would reply with Access-Accept to ISE, which can then proceed with authorization of the VPN client. In this scenario, from the standpoint of your MFA solution, ISE servers are RADIUS clients.

Here is a good article how this is done with ISE and Duo. Here you can find another example on how this can be done (different approach, both have its pros and cons).

Although it is not the same, you can easily understand the concept behing this approach, and replicate it to your setup. You must configure MFA solution properly too.

This is one way of doing things, in which user gets only one prompt, without secondary authentication. You can use that approach too, and secondary authentication option comes with v6.4. You can find config guide here.

BR,

Milos

View solution in original post

1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi Sam,

I haven't used Envoy MFA, but I would assume it supports RADIUS as a protocol (as most MFA solutions do). If that is the case, your traffic flow would be:

PC with AnyConnect -> FTD -> ISE -> Envoy MFA [ quite possible -> AD/LDAP ]

In this scenario, FTD would pass authentication request to ISE, which would forward it to Envoy MFA solution. MFA would do its job and authenticate client, on both factors (ISE can either forward entire authentication request or authenticate it itself, can't do one factor and forward second). After authenticating client, MFA would reply with Access-Accept to ISE, which can then proceed with authorization of the VPN client. In this scenario, from the standpoint of your MFA solution, ISE servers are RADIUS clients.

Here is a good article how this is done with ISE and Duo. Here you can find another example on how this can be done (different approach, both have its pros and cons).

Although it is not the same, you can easily understand the concept behing this approach, and replicate it to your setup. You must configure MFA solution properly too.

This is one way of doing things, in which user gets only one prompt, without secondary authentication. You can use that approach too, and secondary authentication option comes with v6.4. You can find config guide here.

BR,

Milos