Solved: ISE Integration - Azure MFA (Cloud Only Deployment)

Sloanstar · ‎07-12-2018

Looking into an Azure MFA Cloud deployment and there seems to be some specific NPS server requirements if we want to leverage the solution, at least according to Microsoft.

Documentation:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

We already have an enterprise solution for RADIUS (ISE), scaling out another set of servers/infrastructure for this simple purpose is undesirable. Has anyone deployed this using ISE (not sure that's possible)? Is the PD team working with Microsoft PD to provide a solution using ISE?

thomas · ‎12-13-2021

Please see our ISE Security Ecosystem Integration Guides >

View solution in original post

kvenkata1 · ‎07-12-2018

Please take a look at this post

ISE using Azure MFA and AD

- Krish

kvenkata1 · ‎07-12-2018

One more post on the same topic.

ISE Authentication to Azure MFA - RADIUS PAP Only?

- Krish

Sloanstar · ‎07-13-2018

Thanks Krish, these cover what Microsoft terms Hybrid MFA deployment requiring an MFA server on premise. For Cloud MFA, that's where the NPS servers come in. Any chance to get the ISE team to talk with Microsoft to see what would be required to get the NPS capability into ISE?

hslai · ‎07-14-2018

Thanks a lot for your post. I will relay your inquiry to our product management team. Please note that ISE not currently supporting multiple authentications other than EAP chaining and CWA chaining.

Sloanstar · ‎07-16-2018

This seems more of a RADIUS proxy configuration, but there also seems to be some https calls that are exchanged as well, perhaps for azure account verification? MS would need to fill in the blanks. Thanks for passing it along.

mumustha · ‎08-14-2019

.

usmcjohn · ‎02-11-2020

We leverage Azure MFA for ISE/TACACS authentication. We had it setup in ACS 5.4 and migrated it to ISE. Simple to setup. We verify an network engineer is in the correct AD group and prompt them for second factor before they can log into a CLI for switch/router as well for web gui's on cisco prime and wireless controllers.

bmoore821 · ‎04-01-2020

Do you by chance have any documentation?

We are trying to set up Azure MFA with our ISE deployment. We are not seeing any documentation on how to build this out.

from my understanding today, I feel we will need to deploy Azure MFA cloud base (which seems the only way to have MFA in azure), then we would build a windows server with NPS. The NPS servers would have all my configuration for 2-factor and I would point ISE to the NPS server.

Anything will be of help. We have reached out to MS FastTrack team and it feels they are learning how to deploy this with us.

AbyLauranceCherian0059 · ‎02-27-2022

Has anyone checked using this method. I also want to confirm whether below is possible for TACACS+ device administration

ISE --> NPS Server --> Azure AD for MFA and Active Directory

bhatel · ‎10-26-2021

@usmcjohn

Would you mind sharing any documentation for Azure MFA for ISE/TACACS authentication. Pieces of documentation should help too, it no need to be a consolidated one. Hard to find any related documentation in the community so any help from your side would be greatly appreciated.

We are thinking between DUO vs AZ MFA.

thomas · ‎12-13-2021

Please see our ISE Security Ecosystem Integration Guides >

Aomar bahloul · ‎03-30-2023

Hi,

Can you elaborate more on your setup. Are you using NPS with Azure MFA extension? if so are you able to get the OTP (one-time password) to work? MS will enforce number matching by May of 2023 and the Accept/Deny push notification will stop working. Only number matching and OPT will be allowed. I was able to get ISE to work with NPS + Azure MFA extension with push notification but it stops working when I switch to OTP. On my case I can see the NPS sending a challenge with the code but ISE ignores it and keeps sending access requests