Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6563
Views
3
Helpful
6
Replies

How to implement Cisco ISE as Microsoft NPS to carry out Azure AD MFA

tonyang
Level 1
Level 1

‎04-16-2023 08:52 PM

I would like to see if it's possible to integrate Cisco ISE with Azure AD Multi-Factor authentication. Now I'm using Network Policy Server (NPS) to do Azure AD Multi-Factor authentication. Here is the netflow and configuration for easy understanding.

Use Azure AD Multi-Factor Authentication with NPS - Microsoft Entra | Microsoft Learn

0 Helpful
6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-16-2023 10:40 PM

ISE cannot simply take the place of NPS in this flow as it does not have a function to integrate with Azure AD MFA like the NPS extension.

Depending on what Use Case you are working with (VPN, Wired, Wireless, Device Admin, etc), you could configure ISE to use your existing NPS as a RADIUS Proxy. ISE would forward the RADIUS/TACACS+ requests to NPS to handle the Authentication + MFA, then ISE could perform the Authorization only piece based on the response from NPS.

If you are looking at the VPN use case, you could also have a Cisco ASA/FTD VPN headend perform the authentication via SAML + Azure MFA part itself and use ISE for the Authorization only part of the flow.

tonyang
Level 1
Level 1
In response to Greg Gibbs

‎04-17-2023 01:51 AM

Thanks for your advice, Greg.

F5 VPN is my use case. Is it possible to share more details on how to have a Cisco ASA/FTD VPN headend perform the authentication via SAML + Azure MFA part itself and use ISE for the Authorization only part of the flow ?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to tonyang

‎04-17-2023 03:51 PM

I'm not aware of a single document that includes the entire flow, but you could use a combination of concepts from the following documents:
Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML 

Integrate Azure MFA with Cisco AnyConnect VPN (does not properly use the tunnel-group 'authorize only' config)

VPN certificate auth using ISE? (discusses proper use of the tunnel-group 'authorize only' config)

0 Helpful

tonyang
Level 1
Level 1
In response to Greg Gibbs

‎04-18-2023 08:18 PM

Do you mean I need to add Cisco AnyConnect into Cisco ISE as external radius servers ? The flow is from F5 VPN - Cisco ISE PSN - Cisco AnyConnect - Azure AD, isn't it ?

0 Helpful

samir-rana
Level 1
Level 1
In response to Greg Gibbs

‎09-10-2024 02:28 PM

Greg, Is there any document which can help to use for Device Admin which configure ISE to use existing NPS as a RADIUS Proxy. ISE would forward the RADIUS/TACACS+ requests to NPS to handle the Authentication + MFA, then ISE could perform the Authorization only piece based on the response from NPS

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to samir-rana

‎09-10-2024 03:56 PM

From the ISE perspective, the RADIUS Token piece would be similar to this example using Duo.
https://community.cisco.com/t5/security-knowledge-base/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231

 

Customers Also Viewed These Support Documents