Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Azure AD MFA for Anyconnect VPN clients with ISE 3.0 REST ID


Hi All,

Wondering if anyone is using ISE 3.0 REST ID with Azure AD ?

If yes, once you've added Azure AD as an External Identity Source in ISE 3.0, can you leverage on Azure AD MFA feature for Anyconnect VPN clients ?

I'm trying to setup MFA with Azure AD for Anyconnect VPN clients currently authenticating with ISE 3.0.

Any help will be greatly appreciated.Thanks.

Arne Bier
VIP Advisor

Hello @Rao29 


Did you get a resolution to this?  It's a good question and I have not tried this myself - but keen to know other people's experiences.

Cisco Employee

ISE 3.0 REST ID with Azure AD uses OAuth-ROPC for handling 802.1X authentications for switches or wireless, not VPN. The reason for this is because with 802.1X you do not have an IP address until you are authenticated and you cannot communicate with OAuth/SAML identity providers unless you have an IP address. This is a chicken and egg problem! See our ISE Webinar in YouTube​ on the topic: 802.1X with Azure AD using ROPC

Typically if you want to do OAuth/SAML-based authentication for VPN clients you have the ASA or other VPN concentrator handle the authentication against the OAuth/SAML Identity Provider then ISE handles the authorization.

See Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML
and Configure ASA Anyconnect with SAML and Certificates .


Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel