Re: Azure AD MFA for Anyconnect VPN clients with ISE 3.0 REST ID

Rao29 · ‎07-15-2021

Hi All,

Wondering if anyone is using ISE 3.0 REST ID with Azure AD ? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

If yes, once you've added Azure AD as an External Identity Source in ISE 3.0, can you leverage on Azure AD MFA feature for Anyconnect VPN clients ?

I'm trying to setup MFA with Azure AD for Anyconnect VPN clients currently authenticating with ISE 3.0.

Any help will be greatly appreciated.Thanks.

Arne Bier · ‎07-29-2021

Hello @Rao29

Did you get a resolution to this? It's a good question and I have not tried this myself - but keen to know other people's experiences.

thomas · ‎08-03-2021

ISE 3.0 REST ID with Azure AD uses OAuth-ROPC for handling 802.1X authentications for switches or wireless, not VPN. The reason for this is because with 802.1X you do not have an IP address until you are authenticated and you cannot communicate with OAuth/SAML identity providers unless you have an IP address. This is a chicken and egg problem! See our ISE Webinar in YouTube on the topic: 802.1X with Azure AD using ROPC

Typically if you want to do OAuth/SAML-based authentication for VPN clients you have the ASA or other VPN concentrator handle the authentication against the OAuth/SAML Identity Provider then ISE handles the authorization.

See Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML
and Configure ASA Anyconnect with SAML and Certificates .

masees85 · ‎05-11-2024

Hello Thomas,

I have almost the same scenario, Authenticate using SAML and Authorize using ISE but the issue that we are facing with Authorization is how to match the users membership on AD groups. I'm using the External Identity match to provide the Authorize profile, but it not working (the Azure and ISE integration is working and I'm able to fetch all groups inside the AD)

Thanks

Greg Gibbs · ‎05-12-2024

@masees85 , what version of ISE are you using? I believe this ability to perform Authorization against Entra ID (when ISE is not doing the Authentication) requires the feature enhancement in ISE 3.2, similar to the use case for 802.1x using EAP-TLS.

I have this setup in my lab using ISE 3.2 patch 5 using the following flow with both an ASA and FTD and it works as expected.
ASA/FTD -> [SAML] Entra ID + MFA -> ISE AuthZ Only

masees85 · ‎05-12-2024

Thanks for your reply Greg, my ISE version is 3.2.0.542, Okay the question is how does ISE check the user membership while the groups are on Azure AD, for instance, if user x is on the sales group how the ISE will recognize that?! does ISE check directly from ISE to Azure, or the FTD will send the Attributes that getting from Azure AD to FTD to ISE?

Greg Gibbs · ‎05-12-2024

ISE queries Entra ID directly via the Graph API using the identity provided to ISE by VPN headend. It's important the the identity that ISE gets is the User Principal Name (UPN) as that is the only attribute ISE can use to perform the REST ID lookup against the Graph API.