cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

638
Views
5
Helpful
5
Replies
Beginner

Using on premise Azure with ISE 2.2

I have been working on setting up multi factor authentication using radius.  I first tried to use Duo Auth Proxy with little success.  We were trying to use ISE as the primary radius authenticator https://duo.com/docs/radius.  What I would like to try is that we have an Azure MFA server on site.  I would like to set it up is when we log into a device using radius with MFA it would hit the Azure MFA server first authenticate with MFA then the user is sent to ISE for the policies in ISE to dictate the level of access to the device using radius.  We will not be using the tacacs portion of ISE.  The MFA server and ISE server are joined to the domain.  I am attaching a picture of how I see this working. 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Using on premise Azure with ISE 2.2

Let me say this another way:

ISE points to MFA as external radius proxy?

1. User supplicant authenticates against ISE proxied to MFA?

2. ISE does the authorization?

I think it would work but best to lab it up.

5 REPLIES 5
Cisco Employee

Re: Using on premise Azure with ISE 2.2

Let me say this another way:

ISE points to MFA as external radius proxy?

1. User supplicant authenticates against ISE proxied to MFA?

2. ISE does the authorization?

I think it would work but best to lab it up.

Beginner

Re: Using on premise Azure with ISE 2.2

Thanks Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE.  I was just curious if I could set them up differently.  They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want.  Thanks much guys.

Highlighted

Re: Using on premise Azure with ISE 2.2

Hi All,

 

I tested Azure MFA and ISE integration for AnyConnect VPN and want to share my findings with the community.

 

  • MFA (on prem) server used as external RADIUS server (proxy)
    This did not work, because of a "RADIUS-Proxy: Response Proxy-State attribute validation failed" error.
    After taking some traces it seems ISE sends 2 'proxy-state' AVPs (FirstProxy=<ISE IP> and Cisco Secure ACS) but only gets one of the 2 AVPs back in the RADIUS access-accept from MFA server, while ISE should receive both unmodified.
  • MFA (on prem) server used as RADIUS token external identity source
    This works as expected, but limits the usage to PAP, MS-CHAPv2 is not possible in this scenario.
  • Microsoft NPS with MFA extension used as external RADIUS server (proxy)
    This works as expected. And it is possible to use MS-CHAPv2.
    NPS with MFA extension uses the cloud  hosted Azure MFA version.

 

Components used are:

ISE 2.4

AnyConnect 4.6

ASA 9.9.2

Azure MFA (on prem) server 8.0.0.3 on Sever2012R2

NPS on Server2012R2 with Azure MFA extension 1.0.1.20

Contributor

Re: Using on premise Azure with ISE 2.2

I agree with Jason. I've actually done this before using RSA, Entrust, and Duo via RADIUS Proxy (and RSA via conf file, as well).

There's no reason it shouldn't work with ISE proxying the RADIUS authentication back to the Azure MFA server, as long as it supports RADIUS. This article looks to walk through the same setup using NPS, which means ISE should easily be able to do the same thing.

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius

Good luck.

Beginner

Re: Using on premise Azure with ISE 2.2

thanks I also agree with Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE.  I was just curious if I could set them up differently.  They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want.  Thanks much guys.