Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
24
Replies

Can ISE using Azure MFA with Internal User on ISE for authorize only

jewfcb001
Level 4
Level 4

‎01-04-2023 10:49 PM

Hi All ,

I try to find the solution of Anyconnect integrate with Azure AD and ISE do authorize only . This is solution working fine but ISE integrate with on-premise AD for do condition authorization and If I need use group internal user for do authorization . Can I do that ? 

Reference : https://www.packetswitch.co.uk/cisco-anyconnect-with-azure-ad/

      https://community.cisco.com/t5/network-access-control/ise-using-azure-mfa-and-ad/td-p/3592900

 

jewfcb001_0-1672900921474.png

 

0 Helpful
24 Replies 24

balaji.bandi
Hall of Fame
Hall of Fame

‎01-05-2023 02:37 AM

trying to understand your scenario, you looking authentication with Local ISE and Authorisation send to Azure AD ?

please clarify ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 02:43 AM

@balaji.bandi 

I looking for authentication with Azure AD and authorization check from group of internal user for do authorization policy . I'm not sure I explain clear or not?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-05-2023 03:02 AM

ok how is your Azure and on Prem AD synched you have any agent ?

is the users are different on prem and azure cloud ?

if you have synched user and groups to Azure AD - then ISE can use that AD group for authentication and Authorisation, what is the challange you see here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 03:17 AM

@balaji.bandi 

 I understand If I sync ISE with  on prem AD and AD replicate  with Azure AD can do  that .

My scenario If I will not sync user from AD group. Can I manual create same user with AD in local user in ISE . Can i do that ? 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-05-2023 05:51 AM

If the users and groups are not synched ? how do you validate the user belong to group which is not there ?

Can I manual create same user with AD in local user in ISE . Can i do that ?  - If you create local user in ISE, the users will be Local users - they are not AD users right. - if you looking to authenticate and authz with that database sure you can do so.

personally your use case not valid. AD user should be located in AD, and belong to Group that is exist to the condition matches here.

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 06:09 AM

@balaji.bandi 

Thank you for answer. I see in your answer but the customer have some restriction.

I looking authentication with Azure AD and condition of authorization I will using the group local  user and user in ISE. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-05-2023 07:42 AM

I do see any option you looking 2 different system - as per i know Either you can use local or Azure AD  for Authentication and Authorization

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 07:50 AM

@balaji.bandi 

I will try to Azure AD for anyconnect authentication first and ISE do authorize with internal local user. 

I think , I will test first .

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-05-2023 08:45 AM

If you also looking 2facto authentication - Like to take advantage of  SAML MS authenticator with Azure AD.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 08:50 AM

@balaji.bandi 

Yes I looking for 2FA . Now I integrate SAML with Azure AD  And after authentication I need ISE do authorize but in condition on ISE I need the local user group in ISE for do that . that's all my requirement.

I'm not sure Are you got my point ?  

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jewfcb001

‎01-05-2023 06:00 AM

You can create a local user in ISE and have the user use that for authentication, but this user will not be associated in any way with Active Directory.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jewfcb001
Level 4
Level 4
In response to Marius Gunnerud

‎01-05-2023 06:12 AM

@Marius Gunnerud 

can create a local user in ISE . you mean authentication i can go Azure AD first and authorization i can go to ISE and check group and user on ISE .  My understand correct? If correct , It's my objective.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jewfcb001

‎01-05-2023 01:33 PM

No, that is not what I meant.  you need to either use an external user or an internal user.  If you are using an external user but want to match on something other than an Active Directory group or similar, you would need to install a posture agent on the client machine and then match on something local on the machine that the agent can identify.

Matching on a user group local to the ISE is not possible as far as I know.  There is no way to associate an external user with a local group that I can see.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jewfcb001
Level 4
Level 4
In response to Marius Gunnerud

‎01-05-2023 05:55 PM

As Picture below It's my objective. I understand It's my sense but restrictions from the customer.

jewfcb001_0-1672970105703.png

 

0 Helpful
Customers Also Viewed These Support Documents