Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2574
Views
5
Helpful
5
Replies

Azure ISE integration using SAML for Any connect VPN

Go to solution
NiTech
Level 1
Level 1

‎04-20-2020 06:59 AM

I have tried to integrate ISE with Azure using SAML. Currently, I have only the Base licence.When I am trying to create the new Service Provider Info. we called the IDP in My Devices portal. At that time its showing License warning.Because we don't have any plus license. * do we need the plus license for saml? *is it possible to configure saml using sponsor portal for VPN ?
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to NiTech

‎04-21-2020 12:41 AM

You likely cannot use the My Devices Portal function without the Plus license, as that Portal is tied to the BYOD function.

To be clear, SAML IdP can only be used to authenticate users for Portal-based authentications (and only for specific portals). It cannot be used for authentication methods that are not web-auth portal-based (PEAP, EAP-TLS, PAP, etc).

 

I'm not sure how you intend to insert a Portal-based authentication into the Remote Access VPN flow and if it is a supported flow. Can you please clarify the flow you are trying to create?

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-20-2020 03:54 PM

The Plus license should not be required for authentication to a SAML IdP. The My Devices portal is intended for use as part of the BYOD feature set which does use the Plus license, so it is likely what is triggering the license warning.

The Sponsor Portal is part of the Guest feature set which is covered by the Base license, but I'm not sure how you are trying to fit that into the VPN flow.

 

Please be aware that, to my understanding, there has been a change in the authentication method structure between ISE and Azure since the SAML IdP support for Azure was introduced in ISE 2.1 (I believe MS may have tightened the supported auth methods). AFAIK, SAML IdP integration with current ISE versions does not work.

There is an open enhancement to resolve this in a future version of ISE (but may not be possible to back-port the fix to previous versions).

0 Helpful

Go to solution
NiTech
Level 1
Level 1
In response to Greg Gibbs

‎04-20-2020 11:52 PM

Thanks Greg,

 

But my concern is, without Plus license how can we Extract the Service Provider Info zip file using my device portal or we have any other alternative method to configure the service provider info.

Preview file
55 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to NiTech

‎04-21-2020 12:41 AM

You likely cannot use the My Devices Portal function without the Plus license, as that Portal is tied to the BYOD function.

To be clear, SAML IdP can only be used to authenticate users for Portal-based authentications (and only for specific portals). It cannot be used for authentication methods that are not web-auth portal-based (PEAP, EAP-TLS, PAP, etc).

 

I'm not sure how you intend to insert a Portal-based authentication into the Remote Access VPN flow and if it is a supported flow. Can you please clarify the flow you are trying to create?

0 Helpful

Go to solution
NiTech
Level 1
Level 1
In response to Greg Gibbs

‎04-22-2020 10:16 AM

when the time of saml configuration I got an error 'this certificate is not trusted or invalid'

 

Please help me sort this issue

Preview file
23 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to NiTech

‎04-22-2020 09:01 PM

Be sure you have exported and uploaded the ISE SAML certificate for your App Registration in Azure.

Some additional information (although I cannot guarantee this will work with current versions of ISE, as I mentioned initially), can be found at the following link:

Notes on Azure AD as SAML IdP

Customers Also Viewed These Support Documents