cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

136
Views
0
Helpful
2
Replies
Beginner

INTUNE integration with VPN Devices POSTURE + MFA (user)

Ive got a series of demands from my customer that im trying to integrate into a AC/ASA/ISE Solution.

We need to admit only compliant/registered devices into the network, they also want users to authenticate with username/pw + MFA (Azura multifactor Authentication)

They also would like to skip the installation of 2 NPS Servers with MFA Extension in DC's and only have Azure "AD". 

 

The last one here ruines my puzzle - how ... if possible, could this be accomplished? 

 

My Idea: 

Push Certificates from SCEP in INTUNE - include username within the extensions of Certificate.

Authorize devices to ASA through ISE with INTUNE POSTURE, and do secondary authentication with username based on Certificate info. 

The authentication to ISE is easy; radius - but the next step...  Proxy Radius server... no go over internet to cloud, this would tell the world about everything ;) but ... LDAPS to Cloud? .. or some SAML solution? If we had used DUO, we would have had to use DUO Proxy server, like the NPS servers. My backup solution is to force 2 NPS with MFA Extension, but i would like a more clean setup.

Any advises? 

 

 

CCIES#21940
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: INTUNE integration with VPN Devices POSTURE + MFA (user)

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: INTUNE integration with VPN Devices POSTURE + MFA (user)

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

View solution in original post

Highlighted
Beginner

Re: INTUNE integration with VPN Devices POSTURE + MFA (user)

Client is opting for the ASA with NPS, where NPS have the Azure MFA Extension installed - Authz by ISE.

 

I will update the solution once its working - its a bank, its not the same day progress is made ;)

CCIES#21940