04-25-2018 03:26 AM
Could anyone help me with this query we had from a customer please?
As you know, we have a massive ISE deployment running dot1x authentication for NAC (in deployment globally), our WiFi and remote access with posture compliance. A request has come through to enable MFA on top of the Cisco AnyConnect and ideally we’d like to use Azure AD as this is now our third party authentication solution of choice. Do you have a suitable engineering resource that may be able to run us through the theory of the ISE/SAML integration and what the user can expect to be the result/login process in their AnyConnect client? There are a few documents on this integration but none officially from Cisco – mostly other non-Cisco engineers who have worked on this – so not an ideal guide!
Solved! Go to Solution.
04-25-2018 07:56 AM
Azure MFA is interacted with via RADIUS proxy that communicates to Azure. The RADIUS proxy is part of their solution. To ISE, Azure MFA is just an external RADIUS server that you setup. How the MFA actually works depends on how you setup Azure MFA. It could be text notifications, push to an app installed on the mobile device, etc.
For the current customer that I am working on, we log into VPN with our AD credentials then we get a text on our phone from Azure MFA. We have to type the code back into the text message to get accepted onto VPN.
You will need to increase your RADIUS timeouts to allow for the MFA transaction. Use something like 60-90 seconds for the timeout.
So the authentication of the VPN is handed off completely to the Azure MFA RADIUS server. It does the AD checks and the MFA process. All ISE is looking for is a accept/reject coming back. You can do AD checks in the authorization phase if you want, but the authentication phase is fully delegated to the Azure MFA RADIUS server.
04-25-2018 07:56 AM
Azure MFA is interacted with via RADIUS proxy that communicates to Azure. The RADIUS proxy is part of their solution. To ISE, Azure MFA is just an external RADIUS server that you setup. How the MFA actually works depends on how you setup Azure MFA. It could be text notifications, push to an app installed on the mobile device, etc.
For the current customer that I am working on, we log into VPN with our AD credentials then we get a text on our phone from Azure MFA. We have to type the code back into the text message to get accepted onto VPN.
You will need to increase your RADIUS timeouts to allow for the MFA transaction. Use something like 60-90 seconds for the timeout.
So the authentication of the VPN is handed off completely to the Azure MFA RADIUS server. It does the AD checks and the MFA process. All ISE is looking for is a accept/reject coming back. You can do AD checks in the authorization phase if you want, but the authentication phase is fully delegated to the Azure MFA RADIUS server.
04-26-2018 01:05 AM
Hi Paul,
could we have a chat via email please as my AM would like to ask you a few questions regarding your answer.
email: israhass@cisco.com
Thanks,
Israr
04-25-2018 09:08 AM
I am not sure what you’re asking here. Please consider this maybe a question for the anyconnect community and not ISE as well.
ISE SAML SSO support is explained as the following:
A user connects to a web portal such as guest, sponsor, my devices on ISE and is giving a SAML SSO token for their IDP so they can then login to another portal (think employee webmail or company dashboard)
This also works in reverse, if you access company portal then SSO to ISE portals (except admin) will work.
For more information see - SAMLv2 Identity Provider as an External Identity Source
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html
ISE supported SAML SSO integration examples
https://communities.cisco.com/docs/DOC-64018#jive_content_id_Web_Portal_access_via_SAML_SSO
Are you looking for something else?
04-26-2018 06:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide