cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

115
Views
0
Helpful
4
Replies
Beginner

Cisco Anyconnect MFA with ISE

Good evening,  not sure if this is possible as I can't find any information on this.  We have a working installation of Cisco Anyconnect terminating on an adaptive security appliance which forwards AuthC requests to ISE at our data center.  ISE checks against AD and if the user is found access is permitted.  Now we are looking to implement multi-factor authentication.  Is it possible to somehow marry MFA into our existing solution OR do we need to move our RADIUS authentication off ISE and onto Azure?  

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: Cisco Anyconnect MFA with ISE

If you're using Microsoft MFA, you can utilize that as the authentication server for the VPN connection then utilize Cisco ISE as the authorization-only server.  I have this working in multiple environments.  Users authenticate with username/password, the MFA then texts/calls them, and after successful authentication the requests are sent to ISE for authorization where you can check for AD Group membership, push different attributes for the VPN session, etc.

 

Here's a sample config:

tunnel-group MicrosoftMFA type remote-access
tunnel-group MicrosoftMFA general-attributes
 authentication-server-group MFA
 authorization-server-group ISE
 accounting-server-group ISE
 default-group-policy MicrosoftMFA
 password-management
4 REPLIES 4
Beginner

Re: Cisco Anyconnect MFA with ISE

If I were to simplify this question, "What is the best way to implement multi-factor authentication for Anyconnect while also using ISE as the AAA RADIUS server used by the ASA to forward authentication requests?"

Highlighted
Contributor

Re: Cisco Anyconnect MFA with ISE

If you're using Microsoft MFA, you can utilize that as the authentication server for the VPN connection then utilize Cisco ISE as the authorization-only server.  I have this working in multiple environments.  Users authenticate with username/password, the MFA then texts/calls them, and after successful authentication the requests are sent to ISE for authorization where you can check for AD Group membership, push different attributes for the VPN session, etc.

 

Here's a sample config:

tunnel-group MicrosoftMFA type remote-access
tunnel-group MicrosoftMFA general-attributes
 authentication-server-group MFA
 authorization-server-group ISE
 accounting-server-group ISE
 default-group-policy MicrosoftMFA
 password-management
Beginner

Re: Cisco Anyconnect MFA with ISE

Thank you for your response.  I will definitely give this a try and report back.

Cheers!

Beginner

Re: Cisco Anyconnect MFA with ISE

Quick question, when creating a Policy Set in ISE for this VPN authorization, I am assuming the Authentication Policy should be set to Permit correct? Since we're not really trying to authenticate.