cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
842
Views
5
Helpful
2
Replies

AnyConnect MFA with Azure AD SSO and ISE TLS Authentication

sanchezeldorado
Beginner
Beginner

Hello. 

I don't want to re-invent the wheel here. I'm using FTD firewalls with FMC using Azure AD SAML SSO authentication, then my internal ISE server is doing the Authorization. I'm being asked to require that only company computers are allowed to connect. My ISE server is already configured for Wireless clients to use 802.1x authentication based on TLS certificates. Unfortunately, I'm not seeing an option within firepower to use SAML and AAA. Is there a way to use a second authentication method from firepower after Azure AD succeeds? Or if not that, can I get some direction on how this is accomplished? I'm assuming that I would set my ISE server for Authentication, and then somehow have ISE do the SAML authentication as well as TLS. I'm just not sure where to begin with that. My certificates are from an internal CA.

 

Thanks!

Andy

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @sanchezeldorado,

From FTD version 7.2 it is possible to use both SAML and certificates for RA VPN, speaking about additional authentication methids with SSO.

With SSO, what I'm doing, is usage of SAML for authentication, followed by AAA (RADIUS) for authorization-only part. Please take a look at this post for more details.

Kind regards,

Milos

View solution in original post

2 Replies 2

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @sanchezeldorado,

From FTD version 7.2 it is possible to use both SAML and certificates for RA VPN, speaking about additional authentication methids with SSO.

With SSO, what I'm doing, is usage of SAML for authentication, followed by AAA (RADIUS) for authorization-only part. Please take a look at this post for more details.

Kind regards,

Milos

Thank you! That article is exactly what I was looking for. And I didn't know about 7.2. I'm currently doing it the same way you are. My company doesn't like to go beyond the current recommended version of FTD (7.0.4), so I'll let them decide if they want to upgrade.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers