Solved: Re: Azure MFA again but with specific requirements

Istvan Segyik · ‎10-10-2017

Dear Colleagues,

We have a scenario in which the end user has ISE 2.0 deployed worldwide and currently used for LAN, WLAN and RAVPN authentication.

They have an on-premise AD deployment already synchronized with the Azure cloud and they started to use Azure MFA for their Azure hosted cloud based applications.

They want to use Azure MFA for their AnyConnect RAVPN deployment too.

I told them to use MFA as the primary authentication method and ISE for authorization only. That could work.

However in that case ASA would send clear text RADIUS messages over the Internet to the Azure MFA service.

Microsoft insists that the only solution would be deploying NPS servers on-premise which has IPsec tunnels to MFA by default and which could be queried by the ASAs over RADIUS. However neither the customer nor us really wants Microsoft pushing in their NPS servers into the environment.

Do you see any way to solve the issue. Use Azure MFA either directly on ASA as the primary authentication method or attached to ISE as an external ID store (I don't know if this was supported at all) and yet somehow has encrypted channel between ASA or ISE and the Azure MFA server?

Any help would be highly appreciated!

Istvan

hslai · ‎10-10-2017

ASA AnyConnect RA-VPN supports with external SAML IdPs. Perhaps, you may use Azure AD + Azure MFA as the first auth and then authorize to ISE.

Paul has a lab guide on AnyConnect using PingFed as SAML IdP and I have some notes with Azure AD as SAML IdP for ISE @ Notes on Azure AD as SAML IdP

View solution in original post

hslai · ‎10-10-2017

ISE 2.2+ supports IPSec with network devices. See Configure ISE 2.2 IPSEC to Secure NAD (ASA) Communication

We have not tested it with a RADIUS server so not supported but it might work.

Istvan Segyik · ‎10-11-2017

Hi Hsing-Tsu,

I don't think that ISE can do IPsec with an external RADIUS token server since it is not possible to define the remote IPsec peer so I am afraid ISE can only receive IPsec protected RADIUS requests. Can you please confirm this?

Best regards,

Istvan

hslai · ‎10-11-2017

As I mentioned it before, it's not tested or supported to have IPSec between ISE and another RADIUS server.

hslai · ‎10-10-2017

ASA AnyConnect RA-VPN supports with external SAML IdPs. Perhaps, you may use Azure AD + Azure MFA as the first auth and then authorize to ISE.

Paul has a lab guide on AnyConnect using PingFed as SAML IdP and I have some notes with Azure AD as SAML IdP for ISE @ Notes on Azure AD as SAML IdP

Istvan Segyik · ‎10-11-2017

Hi Hsing-Tsu,

Thank you for your response.

Brings up a few questions in my mind:

- How do we configure ISE for an "Authorization only" request from ASA when the password is either nothing or the username or cisco instead of a valid one (I can't recall the ASA authorization-server-group behavior by heart)?

- Do we have any configuration example or design guide for this "ISE as authorization only" scenario? Not necessarily with SAML used as an authentication method but any other primary?

Best regards,

Istvan

hslai · ‎10-11-2017

We would use PAP between ASA and ISE and configure "continue" if auth fail. I will forward you one slide from Paul.

Istvan Segyik · ‎10-11-2017

Hi Hsing-Tsu,

Thank you very much in advance for the configuration slide.

I think this will be the solution for us. At least to test.