Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

ASA SP for SAML (Micrososft MFA) + ISE for Authorization

gihernandezn91
Beginner
Beginner

‎01-17-2023 05:13 AM

Good Morning ISE admins,

Im currently checking if this architecture works as intended.

We have a client that wants to enable Microsofts MFA for their anyconnect users using an ASA as an SP for SAML but keep ISE as their policy enforcement (dacls based on group membership).

From what I read I just have to set the ISE as an authorization server in the tunnel group and after the user authenticates against AAD the ASA will send the username back to ISE for further authorization.

Has anyone tested this? For this i would need an Azure tenant and a AAD connector installed in order to sync users and groups so i can reference them in the Authz rules in ISE. I currently dont have these components.

The only reference ive found that resembles this is the following (THIS) but we dont want to use SGTs for this

Let me know what you think of this

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎02-06-2023 07:28 PM

Sure, we may assign authorization profiles with DACL and use them for enforcement instead of using ACLs based on SGTs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents