Solved: Cisco ISE 2.4 + Guest Portal Azure disable MFA

iman.yuliarto · ‎05-24-2022

Hi Guys,

We have an issue with Cisco ISE 2.4.0.357 patch 13 + wireless Guest portal to Azure with SAML, the configuration was work properly until last week.

We have changes at last month to enable MFA on all azure authentication, but the issue just appears last week.

the issue is :

after we try to research this, we found the link

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75011-auth-method-mismatch

also this cisco live pdf at page 32 https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/documents-securite/9/1/Webcast_ISE_Pujol_mar09_2021.pdf

but we can't find on the ISE how to modify SAML Header request to Azure. we need to remove RequestedAuthnContext as suggested by Microsoft and Cisco

We want to disable Azure MFA only for Cisco ISE communication.

did anyone have face this issue?

Thanks for help

Greg Gibbs · ‎05-24-2022

The Cisco deck you shared specifically references ISE version 3.0. This is an enhancement that would not be present in your current version of ISE 2.4. You will need to upgrade your ISE deployment to take advantage of this feature enhancement.

You should also be aware that ISE version 2.4 reaches End of Support in Dec 2022.

View solution in original post

Greg Gibbs · ‎05-24-2022

The Cisco deck you shared specifically references ISE version 3.0. This is an enhancement that would not be present in your current version of ISE 2.4. You will need to upgrade your ISE deployment to take advantage of this feature enhancement.

You should also be aware that ISE version 2.4 reaches End of Support in Dec 2022.

iman.yuliarto · ‎05-25-2022

Hi Greg,

So if we want to disable or enable the MFA we should upgrade to ISE 3.0 as the Cisco Deck provide?

Yeah sure we want to upgrade but ISE 3.0 licensing is different. Thanks for remind.