cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3547
Views
0
Helpful
3
Replies

INTUNE integration with VPN Devices POSTURE + MFA (user)

OveDC
Level 1
Level 1

Ive got a series of demands from my customer that im trying to integrate into a AC/ASA/ISE Solution.

We need to admit only compliant/registered devices into the network, they also want users to authenticate with username/pw + MFA (Azura multifactor Authentication)

They also would like to skip the installation of 2 NPS Servers with MFA Extension in DC's and only have Azure "AD". 

 

The last one here ruines my puzzle - how ... if possible, could this be accomplished? 

 

My Idea: 

Push Certificates from SCEP in INTUNE - include username within the extensions of Certificate.

Authorize devices to ASA through ISE with INTUNE POSTURE, and do secondary authentication with username based on Certificate info. 

The authentication to ISE is easy; radius - but the next step...  Proxy Radius server... no go over internet to cloud, this would tell the world about everything ;) but ... LDAPS to Cloud? .. or some SAML solution? If we had used DUO, we would have had to use DUO Proxy server, like the NPS servers. My backup solution is to force 2 NPS with MFA Extension, but i would like a more clean setup.

Any advises? 

 

 

CCIES#21940
1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

Client is opting for the ASA with NPS, where NPS have the Azure MFA Extension installed - Authz by ISE.

 

I will update the solution once its working - its a bank, its not the same day progress is made ;)

CCIES#21940

MSanmartin
Level 1
Level 1

We had customer with a similar request. We leveraged the following article to complete the setup. 

 

https://www.petenetlive.com/KB/Article/0001474