Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
1
Helpful
2
Replies

ASA SP for SAML (Micrososft MFA) + ISE for Authorization

gihernandezn91
Level 1
Level 1

‎01-17-2023 05:13 AM

Good Morning ISE admins,

Im currently checking if this architecture works as intended.

We have a client that wants to enable Microsofts MFA for their anyconnect users using an ASA as an SP for SAML but keep ISE as their policy enforcement (dacls based on group membership).

From what I read I just have to set the ISE as an authorization server in the tunnel group and after the user authenticates against AAD the ASA will send the username back to ISE for further authorization.

Has anyone tested this? For this i would need an Azure tenant and a AAD connector installed in order to sync users and groups so i can reference them in the Authz rules in ISE. I currently dont have these components.

The only reference ive found that resembles this is the following (THIS) but we dont want to use SGTs for this

Let me know what you think of this

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎02-06-2023 07:28 PM

Sure, we may assign authorization profiles with DACL and use them for enforcement instead of using ACLs based on SGTs.

Divya Jain
Cisco Employee
Cisco Employee

‎03-28-2023 02:01 AM

Hi,
You can refer to this guide for DACL.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540

 

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------

Regards,
Divya Jain


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents