Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
5
Replies

Cisco Anyconnect MFA with ISE

Go to solution
Ricky Sandhu
Level 3
Level 3

‎09-26-2019 06:18 PM

Good evening,  not sure if this is possible as I can't find any information on this.  We have a working installation of Cisco Anyconnect terminating on an adaptive security appliance which forwards AuthC requests to ISE at our data center.  ISE checks against AD and if the user is found access is permitted.  Now we are looking to implement multi-factor authentication.  Is it possible to somehow marry MFA into our existing solution OR do we need to move our RADIUS authentication off ISE and onto Azure?  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight
In response to Ricky Sandhu

‎09-26-2019 10:05 PM

If you're using Microsoft MFA, you can utilize that as the authentication server for the VPN connection then utilize Cisco ISE as the authorization-only server.  I have this working in multiple environments.  Users authenticate with username/password, the MFA then texts/calls them, and after successful authentication the requests are sent to ISE for authorization where you can check for AD Group membership, push different attributes for the VPN session, etc.

 

Here's a sample config:

tunnel-group MicrosoftMFA type remote-access
tunnel-group MicrosoftMFA general-attributes
 authentication-server-group MFA
 authorization-server-group ISE
 accounting-server-group ISE
 default-group-policy MicrosoftMFA
 password-management

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ricky Sandhu
Level 3
Level 3

‎09-26-2019 07:25 PM - edited ‎09-26-2019 07:25 PM

If I were to simplify this question, "What is the best way to implement multi-factor authentication for Anyconnect while also using ISE as the AAA RADIUS server used by the ASA to forward authentication requests?"

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to Ricky Sandhu

‎09-26-2019 10:05 PM

If you're using Microsoft MFA, you can utilize that as the authentication server for the VPN connection then utilize Cisco ISE as the authorization-only server.  I have this working in multiple environments.  Users authenticate with username/password, the MFA then texts/calls them, and after successful authentication the requests are sent to ISE for authorization where you can check for AD Group membership, push different attributes for the VPN session, etc.

 

Here's a sample config:

tunnel-group MicrosoftMFA type remote-access
tunnel-group MicrosoftMFA general-attributes
 authentication-server-group MFA
 authorization-server-group ISE
 accounting-server-group ISE
 default-group-policy MicrosoftMFA
 password-management
0 Helpful

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to jj27

‎09-27-2019 11:15 AM

Thank you for your response.  I will definitely give this a try and report back.

Cheers!

0 Helpful

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to jj27

‎09-27-2019 11:23 AM

Quick question, when creating a Policy Set in ISE for this VPN authorization, I am assuming the Authentication Policy should be set to Permit correct? Since we're not really trying to authenticate.
0 Helpful

Go to solution
lurbani
Cisco Employee
Cisco Employee
In response to jj27

‎02-17-2022 05:48 AM

does this configuration work even if the authorisation is performed by ISE against AD groups on Azure Cloud?

0 Helpful
Customers Also Viewed These Support Documents