cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11815
Views
38
Helpful
12
Replies

ISE Integration - Azure MFA (Cloud Only Deployment)

Sloanstar
Level 5
Level 5

Looking into an Azure MFA Cloud deployment and there seems to be some specific NPS server requirements if we want to leverage the solution, at least according to Microsoft.

Documentation:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

We already have an enterprise solution for RADIUS (ISE), scaling out another set of servers/infrastructure for this simple purpose is undesirable. Has anyone deployed this using ISE (not sure that's possible)? Is the PD team working with Microsoft PD to provide a solution using ISE?

1 Accepted Solution
12 Replies 12

kvenkata1
Cisco Employee
Cisco Employee

Please take a look at this post

ISE using Azure MFA and AD

- Krish

Sloanstar
Level 5
Level 5

Thanks Krish, these cover what Microsoft terms Hybrid MFA deployment requiring an MFA server on premise. For Cloud MFA, that's where the NPS servers come in. Any chance to get the ISE team to talk with Microsoft to see what would be required to get the NPS capability into ISE?

Thanks a lot for your post. I will relay your inquiry to our product management team. Please note that ISE not currently supporting multiple authentications other than EAP chaining and CWA chaining.

This seems more of a RADIUS proxy configuration, but there also seems to be some https calls that are exchanged as well, perhaps for azure account verification? MS would need to fill in the blanks. Thanks for passing it along.

.

usmcjohn
Level 1
Level 1

We leverage Azure MFA for ISE/TACACS authentication.  We had it setup in ACS 5.4 and migrated it to ISE.  Simple to setup.  We verify an network engineer is in the correct AD group and prompt them for second factor before they can log into a CLI for switch/router as well for web gui's on cisco prime and wireless controllers.  

Do you by chance have any documentation?

 

We are trying to set up Azure MFA with our ISE deployment. We are not seeing any documentation on how to build this out.

 

from my understanding today, I feel we will need to deploy Azure MFA cloud base (which seems the only way to have MFA in azure), then we would build a windows server with NPS. The NPS servers would have all my configuration for 2-factor and I would point ISE to the NPS server.  

 

Anything will be of help. We have reached out to MS FastTrack team and it feels they are learning how to deploy this with us. 

Has anyone checked using this method. I also want to confirm whether below is possible for TACACS+ device administration

 

ISE --> NPS Server --> Azure AD for MFA and Active Directory

@usmcjohn

Would you mind sharing any documentation for  Azure MFA for ISE/TACACS authentication. Pieces of documentation should help too, it no need to be a consolidated one. Hard to find any related documentation in the community so any help from your side would be greatly appreciated. 

We are thinking between DUO vs AZ MFA.

Hi,

Can you elaborate more on your setup. Are you using NPS with Azure MFA extension? if so are you able to get the OTP (one-time password) to work? MS will enforce number matching by May of 2023 and the Accept/Deny push notification will stop working. Only number matching and OPT will be allowed. I was able to get ISE to work with NPS + Azure MFA extension with push notification but it stops working when I switch to OTP. On my case I can see the NPS sending a challenge with the code but ISE ignores it and keeps sending access requests ISE_NPS.jpg