cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20011
Views
64
Helpful
24
Replies

Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris
Level 3
Level 3

I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE. 

  1. Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.)
  2. Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc.
  3. Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want. 
1 Accepted Solution

Accepted Solutions

I ended up taking option # 3 and its working very well. ISE is acting as an authorization only server. Azure is performing authentication and conditional access. I honestly think that is a great solution. 

View solution in original post

24 Replies 24

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   If you find option 3 to be best for you, yes, you can use SAML authentication and RADIUS/ISE authorization.

 

Regards,

Cristian Matei.

Hi Cristian,

 

I am looking forward for the option 3 which should now be supported from the ISE 3.0.

Can you guide me to some configured guide from Cisco which I could follow to set it up?  (ASA - ISE - SAML IdP with Azure AD and Azure MFA)

 

I came across the limitation that Azure MFA is for ISE web portal auth only. Does it means I can't use it for Windows Always-On VPN with Anyconnect?

 

What would be the alternative to use? E.g. Duo instead of ISE to interconnect the ASA VPN termination through Duo with Microsoft MFA.

 

Thx.

Ivan

Is there any Cisco documentation, that is non duo based and fully caters to Any connect--Azure-Saml-ASA and ISE for authorization.Hoping we do need to spend time with TAC.

 

How should ise portion be configured (authentication)? 

The flow for this would be:

ASA <-> AzureAD SAML + MFA (optional) <-> ISE AuthZ Only

With the ASA configured to use ISE for AuthZ Only, the Authentication Policy in ISE will be bypassed. As such, the default authC policy can be set to DenyAccess and the flow will still work.

Example ASA config from my lab using ISE 3.2

tunnel-group sslvpn-saml32 type remote-access
tunnel-group sslvpn-saml32 general-attributes
address-pool vpnpool
authorization-server-group ISE32_RAD
default-group-policy GroupPolicy_sslvpn-saml32
tunnel-group sslvpn-saml32 webvpn-attributes
authentication saml
group-alias sslvpn-saml32 enable
saml identity-provider https://sts.windows.net/xxx
!
aaa-server ISE32_RAD protocol radius
authorize-only
interim-accounting-update
dynamic-authorization
aaa-server ISE32_RAD (management) host 192.168.222.52
key *****
authentication-port 1812
accounting-port 1813

 

Thanks for the information... <span;>Under this scenario is it possible to implement posture also? Is there any cisco document in which I can consult the traffic? I wanna know how Asa pass the authorization request to ISE

Yes, it is possible to include the ISE Posture flow for this use case. The Posture flow would be no different than the example in this ASA VPN video series.

The authorize only feature is described in the ASA Configuration Guide.

If you do not want to use ISE for authentication, select Use authorization only mode.

"This option indicates that when this server group is used for authorization, the RADIUS Access Request message will be built as an “Authorize Only” request as opposed to the configured password methods defined for the AAA server."

Hi Greg. I know this is an old post, but it's the only one I could find that's close to what I'm trying to accomplish.

I understand this flow ASA <-> AzureAD SAML + MFA (optional) <-> ISE AuthZ Only

However, what do you use as matching criteria for your AuthZ conditions?

Spyros Kasapis
Level 1
Level 1

Any update ?

The Azure AD ROPC works only with 802.1X correct ?

I ended up taking option # 3 and its working very well. ISE is acting as an authorization only server. Azure is performing authentication and conditional access. I honestly think that is a great solution. 

thank you !!

 

i will try it .

Hi Josh,

Do you have any documentation, as to how, you used ISE for authorization in this azure ASA saml scenario option 3 for Anyconnect ?

I get failed authorizations on the UPN name in ISE , as email/UPN auths are done by azure AD.

Any info is appreciated.

Thank you

 

If you're using FTD, you must define the SAML server for authentication, and an authorize-only server for ISE authorization and accounting. This tripped me up when I first tried. With this setup, authentication is first sent to Azure. if accepted, FTD then sends authorization only request to ISE. 

Thank you Josh,

We do not use FTD, but we use ASA, ISE is selected as Authorization for Any connect connection profile. MFA is working fine, but for now failed authorizations are indicators of the connections. May be a TAC case needs to be opened.