cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20764
Views
64
Helpful
24
Replies

Best way to integrate ASA/ISE/Azure AD for MFA?

Josh Morris
Level 3
Level 3

I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE. 

  1. Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.)
  2. Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc.
  3. Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want. 
24 Replies 24

What is your ISE log saying is the cause of the authorization failure? Can you share the log?

I have the same issue MFA is working but fail authorization with the following

 

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Normalised Radius.RadiusFlowType (2 times)
 15048Queried PIP - Airespace.Airespace-Wlan-Id
 15048Queried PIP - DEVICE.Device Type
 15041Evaluating Identity Policy
 22072Selected identity source sequence - AD_Cert_local
 15013Selected Identity Source - Internal Users
 24210Looking up User in Internal Users IDStore - chapmanst@umsystem.edu
 24212Found User in Internal Users IDStore
 24430Authenticating user against Active Directory - AD1
 24325Resolving identity - chapmanst@umsystem.edu
 24313Search for matching accounts at join point - stl.umsl.edu
 24319Single matching account found in forest - umad.umsystem.edu
 24323Identity resolution detected single matching account
 24344RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,chapmanst@umad.umsystem.edu
 24408User authentication against Active Directory failed since user has entered the wrong password - AD1
 22057The advanced option that is configured for a failed authentication request is used
 22061The 'Reject' advanced option is configured in case of a failed authentication request
 11003Returned RADIUS Access-Reject

Did you check if you are getting live sessions for your MFA authenticated users, when only using ISE for Authz? I want to do this as well, but i am also doing pxgrid session sharing, so i need ISE to build and maintain sessions with user/mac/ip mappings.

Hi @Josh Morris , I am attempting to setup a similar solution. The radius token server doesn't seem to be possible as Microsoft doesn't allow the option to install the MFA server on the on-prem domain controller anymore : Getting started Azure MFA Server - Azure Active Directory - Microsoft Entra | Microsoft Docs.

It would be great if you can share more details or any reference documents that you've used for option 3.

 

I ended up going option 3, but moved away from ASA and am doing it on FTD. I still think you can do all of this on ASA though. I have a single SSO profile that I use with multiple VPN connection profiles. The SSO profile uses the base url (lets call it vpn.domain.com), but you can setup multiple Azure Enterprise Applications using SSO. For example, we have one for employees and another for vendors. The differentiating factors are the use of the connection profile names in the Identifier and Reply URL fields. Maybe the attached diagram will help. 

After Azure returns an authentication accept, FMC uses the ISE Radius profile to send authorization request. The key is that in this particular profile, there is a box I checked called 'Enable Authorize only'. So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example).

Hi Josh

When setting up the multiple Enterprise Apps in Azure are you using the SAML certificates that get generated by Azure itself or have you uploaded a certificate that was issued by an External CA to each of your apps so they all have the same certificate?

Thanks

Hi Josh.
Per your statement "So ISE receives the authorize request and performs action based on whatever parameters I have applied in the policy set (vendors get limited access for example)."
What are the parameters you use in your policy set? I want to be able to use groups. Where does ISE receive the "authorize request" from?

I am able to use groups, but part of my workflow is that each user OU that I want to use has to first be defined as such in my domain under External Identity Sources > Active Directory > domain > groups. Then my authorization rule can read "Tunnel group Name = GROUP_NAME AND Externalgroup = AD_GROUP_NAME.

ISE receives the authorization request from the FTD itself. So the FTD authenticates to Azure AD then is authorized via ISE.

lilimtzrmz
Level 1
Level 1

So did you configure in Asa Azure as authentication server and ISE as radius server? Would you mind tell me how did you configured cisco ISE policy? Authentication like if fails continue, etc? 

sbaker2014
Level 1
Level 1

Has anyone had success with user identity mapping for RAVPN with these features enabled?  With the 7.4.x code train it appears that the feature is supported per https://secure.cisco.com/secure-firewall/v7.4/docs/azure-ad-user-identity-with-ise

Unfortunately, it doesn't appear to work when the below configuration is enabled:

AnyConnect <-> FTD <-> AzureAD SAML + MFA <-> ISE AuthZ Only

Per the article, ISE is supposed to send the username to IP address mapping to the FMC using pxGrid, and then the FMC will retrieve the username to group mapping from Azure AD... but that piece appears to be failing.  Based on my testing the realm shows as "special identities" vs "Azure AD".

The end goal would be able to apply MFA to the RAVPN while maintaining user identity mapping within the FMC for access control policy enforcement.  Not sure if there is a better method for this when using Azure and the Microsoft Authenticator app exclusively?