cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1283
Views
5
Helpful
5
Replies
NiTech
Beginner

Azure ISE integration using SAML for Any connect VPN

I have tried to integrate ISE with Azure using SAML. Currently, I have only the Base licence.When I am trying to create the new Service Provider Info. we called the IDP in My Devices portal. At that time its showing License warning.Because we don't have any plus license. * do we need the plus license for saml? *is it possible to configure saml using sponsor portal for VPN ?
1 ACCEPTED SOLUTION

Accepted Solutions

You likely cannot use the My Devices Portal function without the Plus license, as that Portal is tied to the BYOD function.

To be clear, SAML IdP can only be used to authenticate users for Portal-based authentications (and only for specific portals). It cannot be used for authentication methods that are not web-auth portal-based (PEAP, EAP-TLS, PAP, etc).

 

I'm not sure how you intend to insert a Portal-based authentication into the Remote Access VPN flow and if it is a supported flow. Can you please clarify the flow you are trying to create?

View solution in original post

5 REPLIES 5
Greg Gibbs
Cisco Employee

The Plus license should not be required for authentication to a SAML IdP. The My Devices portal is intended for use as part of the BYOD feature set which does use the Plus license, so it is likely what is triggering the license warning.

The Sponsor Portal is part of the Guest feature set which is covered by the Base license, but I'm not sure how you are trying to fit that into the VPN flow.

 

Please be aware that, to my understanding, there has been a change in the authentication method structure between ISE and Azure since the SAML IdP support for Azure was introduced in ISE 2.1 (I believe MS may have tightened the supported auth methods). AFAIK, SAML IdP integration with current ISE versions does not work.

There is an open enhancement to resolve this in a future version of ISE (but may not be possible to back-port the fix to previous versions).

Thanks Greg,

 

But my concern is, without Plus license how can we Extract the Service Provider Info zip file using my device portal or we have any other alternative method to configure the service provider info.

You likely cannot use the My Devices Portal function without the Plus license, as that Portal is tied to the BYOD function.

To be clear, SAML IdP can only be used to authenticate users for Portal-based authentications (and only for specific portals). It cannot be used for authentication methods that are not web-auth portal-based (PEAP, EAP-TLS, PAP, etc).

 

I'm not sure how you intend to insert a Portal-based authentication into the Remote Access VPN flow and if it is a supported flow. Can you please clarify the flow you are trying to create?

View solution in original post

when the time of saml configuration I got an error 'this certificate is not trusted or invalid'

 

Please help me sort this issue

Be sure you have exported and uploaded the ISE SAML certificate for your App Registration in Azure.

Some additional information (although I cannot guarantee this will work with current versions of ISE, as I mentioned initially), can be found at the following link:

Notes on Azure AD as SAML IdP

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (46%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel