cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15385
Views
62
Helpful
20
Replies

Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris
Level 3
Level 3

I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE. 

  1. Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.)
  2. Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc.
  3. Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want. 
20 Replies 20

I have the same issue MFA is working but fail authorization with the following

 

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Normalised Radius.RadiusFlowType (2 times)
 15048Queried PIP - Airespace.Airespace-Wlan-Id
 15048Queried PIP - DEVICE.Device Type
 15041Evaluating Identity Policy
 22072Selected identity source sequence - AD_Cert_local
 15013Selected Identity Source - Internal Users
 24210Looking up User in Internal Users IDStore - chapmanst@umsystem.edu
 24212Found User in Internal Users IDStore
 24430Authenticating user against Active Directory - AD1
 24325Resolving identity - chapmanst@umsystem.edu
 24313Search for matching accounts at join point - stl.umsl.edu
 24319Single matching account found in forest - umad.umsystem.edu
 24323Identity resolution detected single matching account
 24344RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,chapmanst@umad.umsystem.edu
 24408User authentication against Active Directory failed since user has entered the wrong password - AD1
 22057The advanced option that is configured for a failed authentication request is used
 22061The 'Reject' advanced option is configured in case of a failed authentication request
 11003Returned RADIUS Access-Reject

Did you check if you are getting live sessions for your MFA authenticated users, when only using ISE for Authz? I want to do this as well, but i am also doing pxgrid session sharing, so i need ISE to build and maintain sessions with user/mac/ip mappings.

Hi @Josh Morris , I am attempting to setup a similar solution. The radius token server doesn't seem to be possible as Microsoft doesn't allow the option to install the MFA server on the on-prem domain controller anymore : Getting started Azure MFA Server - Azure Active Directory - Microsoft Entra | Microsoft Docs.

It would be great if you can share more details or any reference documents that you've used for option 3.

 

I ended up going option 3, but moved away from ASA and am doing it on FTD. I still think you can do all of this on ASA though. I have a single SSO profile that I use with multiple VPN connection profiles. The SSO profile uses the base url (lets call it vpn.domain.com), but you can setup multiple Azure Enterprise Applications using SSO. For example, we have one for employees and another for vendors. The differentiating factors are the use of the connection profile names in the Identifier and Reply URL fields. Maybe the attached diagram will help. 

After Azure returns an authentication accept, FMC uses the ISE Radius profile to send authorization request. The key is that in this particular profile, there is a box I checked called 'Enable Authorize only'. So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example).

Hi Josh

When setting up the multiple Enterprise Apps in Azure are you using the SAML certificates that get generated by Azure itself or have you uploaded a certificate that was issued by an External CA to each of your apps so they all have the same certificate?

Thanks

lilimtzrmz
Level 1
Level 1

So did you configure in Asa Azure as authentication server and ISE as radius server? Would you mind tell me how did you configured cisco ISE policy? Authentication like if fails continue, etc? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: