Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
5
Helpful
2
Replies

AnyConnect MFA with Azure AD SSO and ISE TLS Authentication

Go to solution
sanchezeldorado
Level 1
Level 1

‎11-30-2022 04:27 PM

Hello. 

I don't want to re-invent the wheel here. I'm using FTD firewalls with FMC using Azure AD SAML SSO authentication, then my internal ISE server is doing the Authorization. I'm being asked to require that only company computers are allowed to connect. My ISE server is already configured for Wireless clients to use 802.1x authentication based on TLS certificates. Unfortunately, I'm not seeing an option within firepower to use SAML and AAA. Is there a way to use a second authentication method from firepower after Azure AD succeeds? Or if not that, can I get some direction on how this is accomplished? I'm assuming that I would set my ISE server for Authentication, and then somehow have ISE do the SAML authentication as well as TLS. I'm just not sure where to begin with that. My certificates are from an internal CA.

 

Thanks!

Andy

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-01-2022 12:41 AM

Hi @sanchezeldorado,

From FTD version 7.2 it is possible to use both SAML and certificates for RA VPN, speaking about additional authentication methids with SSO.

With SSO, what I'm doing, is usage of SAML for authentication, followed by AAA (RADIUS) for authorization-only part. Please take a look at this post for more details.

Kind regards,

Milos

View solution in original post

2 Replies 2

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-01-2022 12:41 AM

Hi @sanchezeldorado,

From FTD version 7.2 it is possible to use both SAML and certificates for RA VPN, speaking about additional authentication methids with SSO.

With SSO, what I'm doing, is usage of SAML for authentication, followed by AAA (RADIUS) for authorization-only part. Please take a look at this post for more details.

Kind regards,

Milos

Go to solution
sanchezeldorado
Level 1
Level 1
In response to Milos_Jovanovic

‎12-01-2022 07:44 AM

Thank you! That article is exactly what I was looking for. And I didn't know about 7.2. I'm currently doing it the same way you are. My company doesn't like to go beyond the current recommended version of FTD (7.0.4), so I'll let them decide if they want to upgrade.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents