07-15-2021 01:21 PM
Hi All,
Wondering if anyone is using ISE 3.0 REST ID with Azure AD ? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html
If yes, once you've added Azure AD as an External Identity Source in ISE 3.0, can you leverage on Azure AD MFA feature for Anyconnect VPN clients ?
I'm trying to setup MFA with Azure AD for Anyconnect VPN clients currently authenticating with ISE 3.0.
Any help will be greatly appreciated.Thanks.
07-29-2021 08:56 PM
Hello @Rao29
Did you get a resolution to this? It's a good question and I have not tried this myself - but keen to know other people's experiences.
08-03-2021 10:37 PM - edited 08-04-2021 11:29 AM
ISE 3.0 REST ID with Azure AD uses OAuth-ROPC for handling 802.1X authentications for switches or wireless, not VPN. The reason for this is because with 802.1X you do not have an IP address until you are authenticated and you cannot communicate with OAuth/SAML identity providers unless you have an IP address. This is a chicken and egg problem! See our ISE Webinar in YouTube on the topic: 802.1X with Azure AD using ROPC
Typically if you want to do OAuth/SAML-based authentication for VPN clients you have the ASA or other VPN concentrator handle the authentication against the OAuth/SAML Identity Provider then ISE handles the authorization.
See Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML
and Configure ASA Anyconnect with SAML and Certificates .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: