cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1229
Views
1
Helpful
1
Replies
Highlighted
Cisco Employee

ISE Authentication to Azure MFA - RADIUS PAP Only?

We would like to use Azure MFA when authenticating Anyconnect users on ASA, while also doing Posture and DACL's based on AD membership.  Using this doc as reference:  Multi-Factor Authentication with ISE.pdf

(1)  Evidently MFA supports MSCHAPv2, but we only support PAP for RADIUS token servers.  Can you verify if this is accurate?   https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius

(2)  If true, is there any way to support MFA where we don't send full AD credentials to it?  Any other design where we don't have to rely on PAP?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Authentication to Azure MFA - RADIUS PAP Only?

ASA supports multiple authentications so you could either using Azure as RADIUS server or SAMLv2 IdP directly with ASA as the first authentication and then authorize-only on ISE.

ISE protcol support is shown in Table 2 of Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Users and External Identity Sources [Cisco Ide…

So ISE supports EAP-GTC and PAP with token ID sources.

1 REPLY 1
Cisco Employee

Re: ISE Authentication to Azure MFA - RADIUS PAP Only?

ASA supports multiple authentications so you could either using Azure as RADIUS server or SAMLv2 IdP directly with ASA as the first authentication and then authorize-only on ISE.

ISE protcol support is shown in Table 2 of Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Users and External Identity Sources [Cisco Ide…

So ISE supports EAP-GTC and PAP with token ID sources.