01-17-2023 05:13 AM
Good Morning ISE admins,
Im currently checking if this architecture works as intended.
We have a client that wants to enable Microsofts MFA for their anyconnect users using an ASA as an SP for SAML but keep ISE as their policy enforcement (dacls based on group membership).
From what I read I just have to set the ISE as an authorization server in the tunnel group and after the user authenticates against AAD the ASA will send the username back to ISE for further authorization.
Has anyone tested this? For this i would need an Azure tenant and a AAD connector installed in order to sync users and groups so i can reference them in the Authz rules in ISE. I currently dont have these components.
The only reference ive found that resembles this is the following (THIS) but we dont want to use SGTs for this
Let me know what you think of this
02-06-2023 07:28 PM
Sure, we may assign authorization profiles with DACL and use them for enforcement instead of using ACLs based on SGTs.
03-28-2023 02:01 AM
Hi,
You can refer to this guide for DACL.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540
-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------
Regards,
Divya Jain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide