Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
1
Helpful
4
Replies

Cisco Identity Services Engine 3.2 Azure AD MFA

Go to solution
jitendrac
Level 1
Level 1

‎12-21-2023 04:22 AM

Hi All,

I just wanted to check if it is mandatory to disable MFA for Azure AD users so that ISE can do user authentication?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-21-2023 01:26 PM

What specific use case are you referring to for user authentication?

If you're talking about REST ID using ROPC for Wired/Wireless/VPN user authentication, then a blanket per-user MFA policy could cause issues. In that case, you would want to use a Conditional Access policy for MFA and ensure the App Registration used for the Graph API is exempted from MFA.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-21-2023 04:55 AM

Depends on the requirement

if you looking onluy ISE should do authentication, then you do not need to configured MFA

if you looking for MFA then you need to use MFA with different method not the AD authnetication.

exmaple MS SAML for MFA

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-21-2023 01:26 PM

What specific use case are you referring to for user authentication?

If you're talking about REST ID using ROPC for Wired/Wireless/VPN user authentication, then a blanket per-user MFA policy could cause issues. In that case, you would want to use a Conditional Access policy for MFA and ensure the App Registration used for the Graph API is exempted from MFA.

0 Helpful

Go to solution
jitendrac
Level 1
Level 1
In response to Greg Gibbs

‎12-29-2023 06:44 AM

We use ISE 3.2 Patch 4 REST ID using ROPC for Wired user authentication with Azure Active Directory. The authentication method used is EAP-TTLS. Customers do not want to disable MFA. I suggested they use the Conditional Access policy; however, my query is in the Conditional Access policy; what should be the conditions so that MFA will be bypassed for user authentication requests coming from the PSN node? Shall I create a Location Policy and Mention the PSN IP address? Or Client apps (Other Client) that do not use modern authentication?Bypass MFA.JPG

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-01-2024 08:01 PM

@jitendrac ISE 3.2 adds this feature EAP-TLS and TEAP Authorization Support with Azure AD and that might fit your requirements better. Otherwise, please work with Microsoft support on the conditional access policy.

0 Helpful
Customers Also Viewed These Support Documents