Hi Cristian,

I am looking forward for the option 3 which should now be supported from the ISE 3.0.

Can you guide me to some configured guide from Cisco which I could follow to set it up?  (ASA - ISE - SAML IdP with Azure AD and Azure MFA)

I came across the limitation that Azure MFA is for ISE web portal auth only. Does it means I can't use it for Windows Always-On VPN with Anyconnect?

What would be the alternative to use? E.g. Duo instead of ISE to interconnect the ASA VPN termination through Duo with Microsoft MFA.

Thx.

Ivan

Is there any Cisco documentation, that is non duo based and fully caters to Any connect--Azure-Saml-ASA and ISE for authorization.Hoping we do need to spend time with TAC.

How should ise portion be configured (authentication)? 

The flow for this would be:

ASA <-> AzureAD SAML + MFA (optional) <-> ISE AuthZ Only

With the ASA configured to use ISE for AuthZ Only, the Authentication Policy in ISE will be bypassed. As such, the default authC policy can be set to DenyAccess and the flow will still work.

Example ASA config from my lab using ISE 3.2

tunnel-group sslvpn-saml32 type remote-access
tunnel-group sslvpn-saml32 general-attributes
address-pool vpnpool
authorization-server-group ISE32_RAD
default-group-policy GroupPolicy_sslvpn-saml32
tunnel-group sslvpn-saml32 webvpn-attributes
authentication saml
group-alias sslvpn-saml32 enable
saml identity-provider https://sts.windows.net/xxx
!
aaa-server ISE32_RAD protocol radius
authorize-only
interim-accounting-update
dynamic-authorization
aaa-server ISE32_RAD (management) host 192.168.222.52
key *****
authentication-port 1812
accounting-port 1813

Thanks for the information... <span;>Under this scenario is it possible to implement posture also? Is there any cisco document in which I can consult the traffic? I wanna know how Asa pass the authorization request to ISE

Yes, it is possible to include the ISE Posture flow for this use case. The Posture flow would be no different than the example in this ASA VPN video series.

The authorize only feature is described in the ASA Configuration Guide.

If you do not want to use ISE for authentication, select Use authorization only mode.

Hi Greg. I know this is an old post, but it's the only one I could find that's close to what I'm trying to accomplish.

I understand this flow ASA <-> AzureAD SAML + MFA (optional) <-> ISE AuthZ Only

However, what do you use as matching criteria for your AuthZ conditions?

thank you !!

i will try it .

Hi Josh,

Do you have any documentation, as to how, you used ISE for authorization in this azure ASA saml scenario option 3 for Anyconnect ?

I get failed authorizations on the UPN name in ISE , as email/UPN auths are done by azure AD.

Any info is appreciated.

Thank you

If you're using FTD, you must define the SAML server for authentication, and an authorize-only server for ISE authorization and accounting. This tripped me up when I first tried. With this setup, authentication is first sent to Azure. if accepted, FTD then sends authorization only request to ISE. 

Thank you Josh,

We do not use FTD, but we use ASA, ISE is selected as Authorization for Any connect connection profile. MFA is working fine, but for now failed authorizations are indicators of the connections. May be a TAC case needs to be opened.