cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

838
Views
5
Helpful
2
Replies
Rao29
Beginner

Azure AD MFA for Anyconnect VPN clients with ISE 3.0 REST ID

 

Hi All,

Wondering if anyone is using ISE 3.0 REST ID with Azure AD ? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

If yes, once you've added Azure AD as an External Identity Source in ISE 3.0, can you leverage on Azure AD MFA feature for Anyconnect VPN clients ?

I'm trying to setup MFA with Azure AD for Anyconnect VPN clients currently authenticating with ISE 3.0.

Any help will be greatly appreciated.Thanks.

2 REPLIES 2
Arne Bier
VIP Advisor

Hello @Rao29 

 

Did you get a resolution to this?  It's a good question and I have not tried this myself - but keen to know other people's experiences.

thomas
Cisco Employee

ISE 3.0 REST ID with Azure AD uses OAuth-ROPC for handling 802.1X authentications for switches or wireless, not VPN. The reason for this is because with 802.1X you do not have an IP address until you are authenticated and you cannot communicate with OAuth/SAML identity providers unless you have an IP address. This is a chicken and egg problem! See our ISE Webinar in YouTube​ on the topic: 802.1X with Azure AD using ROPC

Typically if you want to do OAuth/SAML-based authentication for VPN clients you have the ASA or other VPN concentrator handle the authentication against the OAuth/SAML Identity Provider then ISE handles the authorization.

See Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML
and Configure ASA Anyconnect with SAML and Certificates .

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel