12-14-2017 07:59 AM
I have been working on setting up multi factor authentication using radius. I first tried to use Duo Auth Proxy with little success. We were trying to use ISE as the primary radius authenticator https://duo.com/docs/radius. What I would like to try is that we have an Azure MFA server on site. I would like to set it up is when we log into a device using radius with MFA it would hit the Azure MFA server first authenticate with MFA then the user is sent to ISE for the policies in ISE to dictate the level of access to the device using radius. We will not be using the tacacs portion of ISE. The MFA server and ISE server are joined to the domain. I am attaching a picture of how I see this working.
Solved! Go to Solution.
12-14-2017 08:18 AM
Let me say this another way:
ISE points to MFA as external radius proxy?
1. User supplicant authenticates against ISE proxied to MFA?
2. ISE does the authorization?
I think it would work but best to lab it up.
12-14-2017 08:18 AM
Let me say this another way:
ISE points to MFA as external radius proxy?
1. User supplicant authenticates against ISE proxied to MFA?
2. ISE does the authorization?
I think it would work but best to lab it up.
12-15-2017 11:34 AM
Thanks Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE. I was just curious if I could set them up differently. They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want. Thanks much guys.
07-26-2018 01:23 PM
Hi All,
I tested Azure MFA and ISE integration for AnyConnect VPN and want to share my findings with the community.
Components used are:
ISE 2.4
AnyConnect 4.6
ASA 9.9.2
Azure MFA (on prem) server 8.0.0.3 on Sever2012R2
NPS on Server2012R2 with Azure MFA extension 1.0.1.20
12-15-2017 10:06 AM
I agree with Jason. I've actually done this before using RSA, Entrust, and Duo via RADIUS Proxy (and RSA via conf file, as well).
There's no reason it shouldn't work with ISE proxying the RADIUS authentication back to the Azure MFA server, as long as it supports RADIUS. This article looks to walk through the same setup using NPS, which means ISE should easily be able to do the same thing.
Good luck.
12-15-2017 11:33 AM
thanks I also agree with Jason, I have a DUO Auth proxy and a Azure MFA servers set up as external Radius server and I use them in the Authentication rules in ISE. I was just curious if I could set them up differently. They both work great, just getting some push back because no one wants to enter the pin number with DUO but thats what the bosses want. Thanks much guys.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: