Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
24
Replies

Can ISE using Azure MFA with Internal User on ISE for authorize only

jewfcb001
Level 4
Level 4

‎01-04-2023 10:49 PM

Hi All ,

I try to find the solution of Anyconnect integrate with Azure AD and ISE do authorize only . This is solution working fine but ISE integrate with on-premise AD for do condition authorization and If I need use group internal user for do authorization . Can I do that ? 

Reference : https://www.packetswitch.co.uk/cisco-anyconnect-with-azure-ad/

      https://community.cisco.com/t5/network-access-control/ise-using-azure-mfa-and-ad/td-p/3592900

 

jewfcb001_0-1672900921474.png

 

0 Helpful
24 Replies 24

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-05-2023 01:37 PM

In  your own terms what you mean by Authorization -"authorization i can go to ISE"

as we repeatedly mentioned that is not possible,

Based on the condition matched  - ISE will have policies - on what to access and what to not access.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-05-2023 05:48 PM - edited ‎01-05-2023 05:56 PM

@balaji.bandi 

I mean If authentication via 2FA Azure AD and FW will do authorize to ISE and ISE do authorize , condition in authorize I using internal user  internal. The user, I will create it same in AD instead sync user from AD (Restrictions from the customer). Are you clear in my explain?

Please see the detail below again.

jewfcb001_1-1672970135540.png

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-06-2023 02:10 AM

If the user already verified and he is in AD, what is the point of redoing same verification ?

Looks like we are going circle here - spending enough time discussing the same situation again and again.

Personally the solution not work - the use case  not intedent to design like that.

@Marius Gunnerud  suggested you can look posture module to validate after 2Facto done.

I would suggest to contact Local Cisco partner and Contact TAC -  validate the information provided here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-06-2023 02:14 AM

@balaji.bandi 

Thank you so much for your help. 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jewfcb001

‎01-06-2023 02:23 AM

Even if you configure the same user name and groups on the ISE it will still be different from the user you are authenticating with so there is nothing associating the user you are authenticating with to the objects you create in ISE.  So, you have a couple options here.

1. install a posture agent on the end client PC and authorize the user based on some value configured in the PC

2. use certificate authentication with MFA.  This way you can authorize the user based on values within the certificate.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jewfcb001
Level 4
Level 4
In response to Marius Gunnerud

‎01-06-2023 02:28 AM - edited ‎01-06-2023 02:29 AM

@Marius Gunnerud @balaji.bandi 

Thank you for answer. And It's one way,  ISE can integrate with on-premise AD (AD sync Azure AD) and do authorization condition by group on AD .  Because Now I using SAML 2FA on Azure and user it's same information on on-premise AD. This way can possible ? 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jewfcb001

‎01-06-2023 02:33 AM

I do not think this is possible as ISE needs to be integrated with AD to be able to download AD groups.  You might want to look into using LDAP perhaps and see if that will satisfy your requirements.  Other than that, you might also want to look into setting up a Read-Only AD server, that synchronizes with the AD server, that ISE uses to fetch AD groups.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-06-2023 02:45 AM

If Azure AD and on prem AD synched with connector - you can use Azure AD with SAML

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jewfcb001
Level 4
Level 4
In response to balaji.bandi

‎01-06-2023 02:50 AM

@balaji.bandi 

I tried to test with ISE join AD . It's working fine . But Customer need to use local user if possible. I have a headache from requirement. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jewfcb001

‎01-06-2023 03:04 AM

Ask your customer to read the documents  and we explained limitation. now your job to understand and explain to customer.

i should close this topic here..we do not need to re-iterate what we said all the way in the discussion again and again

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents