Good Morning ISE admins,
Im currently checking if this architecture works as intended.
We have a client that wants to enable Microsofts MFA for their anyconnect users using an ASA as an SP for SAML but keep ISE as their policy enforcement (dacls based on group membership).
From what I read I just have to set the ISE as an authorization server in the tunnel group and after the user authenticates against AAD the ASA will send the username back to ISE for further authorization.
Has anyone tested this? For this i would need an Azure tenant and a AAD connector installed in order to sync users and groups so i can reference them in the Authz rules in ISE. I currently dont have these components.
The only reference ive found that resembles this is the following (THIS) but we dont want to use SGTs for this
Let me know what you think of this