cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2184
Views
5
Helpful
5
Replies

Using on premise Azure with ISE 2.2

Richard Lucht
Level 1
Level 1

I have been working on setting up multi factor authentication using radius.  I first tried to use Duo Auth Proxy with little success.  We were trying to use ISE as the primary radius authenticator https://duo.com/docs/radius.  What I would like to try is that we have an Azure MFA server on site.  I would like to set it up is when we log into a device using radius with MFA it would hit the Azure MFA server first authenticate with MFA then the user is sent to ISE for the policies in ISE to dictate the level of access to the device using radius.  We will not be using the tacacs portion of ISE.  The MFA server and ISE server are joined to the domain.  I am attaching a picture of how I see this working. 

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Let me say this another way:

ISE points to MFA as external radius proxy?

1. User supplicant authenticates against ISE proxied to MFA?

2. ISE does the authorization?

I think it would work but best to lab it up.

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

Let me say this another way:

ISE points to MFA as external radius proxy?

1. User supplicant authenticates against ISE proxied to MFA?

2. ISE does the authorization?

I think it would work but best to lab it up.

Thanks Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE.  I was just curious if I could set them up differently.  They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want.  Thanks much guys.

Hi All,

 

I tested Azure MFA and ISE integration for AnyConnect VPN and want to share my findings with the community.

 

  • MFA (on prem) server used as external RADIUS server (proxy)
    This did not work, because of a "RADIUS-Proxy: Response Proxy-State attribute validation failed" error.
    After taking some traces it seems ISE sends 2 'proxy-state' AVPs (FirstProxy=<ISE IP> and Cisco Secure ACS) but only gets one of the 2 AVPs back in the RADIUS access-accept from MFA server, while ISE should receive both unmodified.
  • MFA (on prem) server used as RADIUS token external identity source
    This works as expected, but limits the usage to PAP, MS-CHAPv2 is not possible in this scenario.
  • Microsoft NPS with MFA extension used as external RADIUS server (proxy)
    This works as expected. And it is possible to use MS-CHAPv2.
    NPS with MFA extension uses the cloud  hosted Azure MFA version.

 

Components used are:

ISE 2.4

AnyConnect 4.6

ASA 9.9.2

Azure MFA (on prem) server 8.0.0.3 on Sever2012R2

NPS on Server2012R2 with Azure MFA extension 1.0.1.20

Ryan Wolfe
Level 5
Level 5

I agree with Jason. I've actually done this before using RSA, Entrust, and Duo via RADIUS Proxy (and RSA via conf file, as well).

There's no reason it shouldn't work with ISE proxying the RADIUS authentication back to the Azure MFA server, as long as it supports RADIUS. This article looks to walk through the same setup using NPS, which means ISE should easily be able to do the same thing.

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius

Good luck.

thanks I also agree with Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE.  I was just curious if I could set them up differently.  They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want.  Thanks much guys.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: