cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7988
Views
6
Helpful
3
Replies
Highlighted
Cisco Employee

ISE using Azure MFA and AD

Are there any white papers on configuration VPN Authorization in ISE using Azure MFA and AD?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE using Azure MFA and AD

Hi,

You can find information on ISE and Anyconnect design guides.

ISE Design & Integration Guides

With related to MFA, ISE support RSA secure ID, Radius token. You can also use an external server such as Symatec VIP with guest portal. You can look at the integration with Symantec for that from the design guide above.

ISE is supporting Azure AD with MFA for SAML 2.0 SSO at ISE end-user-facing webauth portals if the primary auth is form-auth authentication.

Now, ASA supports MFA with two different identity sources for authentication, you can use ISE as authorization only in such cases.

Thanks

Krishnan

3 REPLIES 3
Cisco Employee

Re: ISE using Azure MFA and AD

if nothing for MFA how about whitepaper about using ISE for Anyconnect VPN authentication without MFA?

Cisco Employee

Re: ISE using Azure MFA and AD

Hi,

You can find information on ISE and Anyconnect design guides.

ISE Design & Integration Guides

With related to MFA, ISE support RSA secure ID, Radius token. You can also use an external server such as Symatec VIP with guest portal. You can look at the integration with Symantec for that from the design guide above.

ISE is supporting Azure AD with MFA for SAML 2.0 SSO at ISE end-user-facing webauth portals if the primary auth is form-auth authentication.

Now, ASA supports MFA with two different identity sources for authentication, you can use ISE as authorization only in such cases.

Thanks

Krishnan

Beginner

Re: ISE using Azure MFA and AD

Hi imsheikh,


I was working on the same thing it looks like you are trying to do.  We just set up an Azure MFA server to set up multi-factor for VPN and I also found that it works quite nice with accessing network devices.  Since the MFA server is on-prem and uses our AD I used the Azure server as an external radius token server in ISE.  The Azure server is now the Identity store I use in the Authentication Policy then, of course, AD groups for the Authorization policies.  I found the results to work just as we needed.  I did not have to set up the second authentication on the ASA.  Using the MFA as the Authentication Policy identity store now when we log into Cisco gear or the VPN we can use either a token or a push notification.  It is a little overkill for access to network gear but being a government organization we had a requirement for that.  it works much like the DUO Auth Proxy.