Showing results for 
Search instead for 
Did you mean: 

ASA SP for SAML (Micrososft MFA) + ISE for Authorization


Good Morning ISE admins,

Im currently checking if this architecture works as intended.

We have a client that wants to enable Microsofts MFA for their anyconnect users using an ASA as an SP for SAML but keep ISE as their policy enforcement (dacls based on group membership).

From what I read I just have to set the ISE as an authorization server in the tunnel group and after the user authenticates against AAD the ASA will send the username back to ISE for further authorization.

Has anyone tested this? For this i would need an Azure tenant and a AAD connector installed in order to sync users and groups so i can reference them in the Authz rules in ISE. I currently dont have these components.

The only reference ive found that resembles this is the following (THIS) but we dont want to use SGTs for this

Let me know what you think of this

1 Reply 1

Cisco Employee
Cisco Employee

Sure, we may assign authorization profiles with DACL and use them for enforcement instead of using ACLs based on SGTs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers