Solved: Re: INTUNE integration with VPN Devices POSTURE + MFA (user)

OveDC · ‎01-17-2020

Ive got a series of demands from my customer that im trying to integrate into a AC/ASA/ISE Solution.

We need to admit only compliant/registered devices into the network, they also want users to authenticate with username/pw + MFA (Azura multifactor Authentication)

They also would like to skip the installation of 2 NPS Servers with MFA Extension in DC's and only have Azure "AD".

The last one here ruines my puzzle - how ... if possible, could this be accomplished?

My Idea:

Push Certificates from SCEP in INTUNE - include username within the extensions of Certificate.

Authorize devices to ASA through ISE with INTUNE POSTURE, and do secondary authentication with username based on Certificate info.

The authentication to ISE is easy; radius - but the next step... Proxy Radius server... no go over internet to cloud, this would tell the world about everything ;) but ... LDAPS to Cloud? .. or some SAML solution? If we had used DUO, we would have had to use DUO Proxy server, like the NPS servers. My backup solution is to force 2 NPS with MFA Extension, but i would like a more clean setup.

Any advises?

CCIES#21940

hslai · ‎01-18-2020

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

View solution in original post

hslai · ‎01-18-2020

If using AnyConnect VPN client and ASA as the head-end, I would recommend using SAML -- AzureAD as IdP and ASA as SP -- then authorize-only to ISE.

OveDC · ‎01-23-2020

Client is opting for the ASA with NPS, where NPS have the Azure MFA Extension installed - Authz by ISE.

I will update the solution once its working - its a bank, its not the same day progress is made ;)

CCIES#21940

MSanmartin · ‎01-28-2021

We had customer with a similar request. We leveraged the following article to complete the setup.

https://www.petenetlive.com/KB/Article/0001474