Azure AD MFA for Anyconnect VPN clients with ISE 3.0 REST ID

Rao29 · ‎07-15-2021

Hi All,

Wondering if anyone is using ISE 3.0 REST ID with Azure AD ? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

If yes, once you've added Azure AD as an External Identity Source in ISE 3.0, can you leverage on Azure AD MFA feature for Anyconnect VPN clients ?

I'm trying to setup MFA with Azure AD for Anyconnect VPN clients currently authenticating with ISE 3.0.

Any help will be greatly appreciated.Thanks.

Arne Bier · ‎07-29-2021

Hello @Rao29

Did you get a resolution to this? It's a good question and I have not tried this myself - but keen to know other people's experiences.

thomas · ‎08-03-2021

ISE 3.0 REST ID with Azure AD uses OAuth-ROPC for handling 802.1X authentications for switches or wireless, not VPN. The reason for this is because with 802.1X you do not have an IP address until you are authenticated and you cannot communicate with OAuth/SAML identity providers unless you have an IP address. This is a chicken and egg problem! See our ISE Webinar in YouTube on the topic: 802.1X with Azure AD using ROPC

Typically if you want to do OAuth/SAML-based authentication for VPN clients you have the ASA or other VPN concentrator handle the authentication against the OAuth/SAML Identity Provider then ISE handles the authorization.

See Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML
and Configure ASA Anyconnect with SAML and Certificates .