04-10-2018 04:08 PM
We would like to use Azure MFA when authenticating Anyconnect users on ASA, while also doing Posture and DACL's based on AD membership. Using this doc as reference: Multi-Factor Authentication with ISE.pdf
(1) Evidently MFA supports MSCHAPv2, but we only support PAP for RADIUS token servers. Can you verify if this is accurate? https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius
(2) If true, is there any way to support MFA where we don't send full AD credentials to it? Any other design where we don't have to rely on PAP?
Thanks!
Solved! Go to Solution.
04-10-2018 08:26 PM
ASA supports multiple authentications so you could either using Azure as RADIUS server or SAMLv2 IdP directly with ASA as the first authentication and then authorize-only on ISE.
ISE protcol support is shown in Table 2 of Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Users and External Identity Sources [Cisco Ide…
So ISE supports EAP-GTC and PAP with token ID sources.
04-10-2018 08:26 PM
ASA supports multiple authentications so you could either using Azure as RADIUS server or SAMLv2 IdP directly with ASA as the first authentication and then authorize-only on ISE.
ISE protcol support is shown in Table 2 of Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Users and External Identity Sources [Cisco Ide…
So ISE supports EAP-GTC and PAP with token ID sources.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide