Solved: Re: Best way to integrate ASA/ISE/Azure AD for MFA? - Page 2

Josh Morris · ‎03-10-2020

I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE.

Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.)
Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc.
Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want.

Josh Morris · ‎09-20-2021

What is your ISE log saying is the cause of the authorization failure? Can you share the log?

Steve Chapman · ‎11-16-2021

I have the same issue MFA is working but fail authorization with the following

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType (2 times)
	15048	Queried PIP - Airespace.Airespace-Wlan-Id
	15048	Queried PIP - DEVICE.Device Type
	15041	Evaluating Identity Policy
	22072	Selected identity source sequence - AD_Cert_local
	15013	Selected Identity Source - Internal Users
	24210	Looking up User in Internal Users IDStore - chapmanst@umsystem.edu
	24212	Found User in Internal Users IDStore
	24430	Authenticating user against Active Directory - AD1
	24325	Resolving identity - chapmanst@umsystem.edu
	24313	Search for matching accounts at join point - stl.umsl.edu
	24319	Single matching account found in forest - umad.umsystem.edu
	24323	Identity resolution detected single matching account
	24344	RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,chapmanst@umad.umsystem.edu
	24408	User authentication against Active Directory failed since user has entered the wrong password - AD1
	22057	The advanced option that is configured for a failed authentication request is used
	22061	The 'Reject' advanced option is configured in case of a failed authentication request
	11003	Returned RADIUS Access-Reject

jan.nielsen · ‎06-02-2022

Did you check if you are getting live sessions for your MFA authenticated users, when only using ISE for Authz? I want to do this as well, but i am also doing pxgrid session sharing, so i need ISE to build and maintain sessions with user/mac/ip mappings.

Arun2022 · ‎08-14-2022

Hi @Josh Morris , I am attempting to setup a similar solution. The radius token server doesn't seem to be possible as Microsoft doesn't allow the option to install the MFA server on the on-prem domain controller anymore : Getting started Azure MFA Server - Azure Active Directory - Microsoft Entra | Microsoft Docs.

It would be great if you can share more details or any reference documents that you've used for option 3.

Josh Morris · ‎08-17-2022

I ended up going option 3, but moved away from ASA and am doing it on FTD. I still think you can do all of this on ASA though. I have a single SSO profile that I use with multiple VPN connection profiles. The SSO profile uses the base url (lets call it vpn.domain.com), but you can setup multiple Azure Enterprise Applications using SSO. For example, we have one for employees and another for vendors. The differentiating factors are the use of the connection profile names in the Identifier and Reply URL fields. Maybe the attached diagram will help.

After Azure returns an authentication accept, FMC uses the ISE Radius profile to send authorization request. The key is that in this particular profile, there is a box I checked called 'Enable Authorize only'. So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example).

Gavin Webb · ‎02-01-2023

Hi Josh

When setting up the multiple Enterprise Apps in Azure are you using the SAML certificates that get generated by Azure itself or have you uploaded a certificate that was issued by an External CA to each of your apps so they all have the same certificate?

Thanks

DannyDulin · ‎04-16-2024

Hi Josh.
Per your statement "So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example)."
What are the parameters you use in your policy set? I want to be able to use groups. Where does ISE receive the "authorize request" from?

Josh Morris · ‎04-19-2024

I am able to use groups, but part of my workflow is that each user OU that I want to use has to first be defined as such in my domain under External Identity Sources > Active Directory > domain > groups. Then my authorization rule can read "Tunnel group Name = GROUP_NAME AND Externalgroup = AD_GROUP_NAME.

ISE receives the authorization request from the FTD itself. So the FTD authenticates to Azure AD then is authorized via ISE.

lilimtzrmz · ‎08-30-2023

So did you configure in Asa Azure as authentication server and ISE as radius server? Would you mind tell me how did you configured cisco ISE policy? Authentication like if fails continue, etc?

sbaker2014 · ‎11-06-2024

Has anyone had success with user identity mapping for RAVPN with these features enabled? With the 7.4.x code train it appears that the feature is supported per https://secure.cisco.com/secure-firewall/v7.4/docs/azure-ad-user-identity-with-ise

Unfortunately, it doesn't appear to work when the below configuration is enabled:

AnyConnect <-> FTD <-> AzureAD SAML + MFA <-> ISE AuthZ Only

Per the article, ISE is supposed to send the username to IP address mapping to the FMC using pxGrid, and then the FMC will retrieve the username to group mapping from Azure AD... but that piece appears to be failing. Based on my testing the realm shows as "special identities" vs "Azure AD".

The end goal would be able to apply MFA to the RAVPN while maintaining user identity mapping within the FMC for access control policy enforcement. Not sure if there is a better method for this when using Azure and the Microsoft Authenticator app exclusively?