Hi imsheikh,

I was working on the same thing it looks like you are trying to do.  We just set up an Azure MFA server to set up multi-factor for VPN and I also found that it works quite nice with accessing network devices.  Since the MFA server is on-prem and uses our AD I used the Azure server as an external radius token server in ISE.  The Azure server is now the Identity store I use in the Authentication Policy then, of course, AD groups for the Authorization policies.  I found the results to work just as we needed.  I did not have to set up the second authentication on the ASA.  Using the MFA as the Authentication Policy identity store now when we log into Cisco gear or the VPN we can use either a token or a push notification.  It is a little overkill for access to network gear but being a government organization we had a requirement for that.  it works much like the DUO Auth Proxy.

Hi Richard,

Do you have the NPS w/ extension config that worked with ISE integration? I am attempting to setup ISE to NPS Azure MFA for device access like you have done by using RADIUS token server on ISE. I appreciate any assistance you can provide.

If you have your NPS server correctly working with Azure MFA, i.e. you can point VPN auth directly at NPS server and perform Azure MFA then you should be able to define the NPS server as an external RADIUS token server in ISE, ensure the ISE IPs are defined as RADIUS client on the NPS server and point VPN authentication to ISE.

Have you tried this and it isn't working?

Paul,

Doing device CLI login -> ISE -> NPS/AzureMFA as a first deployment. Would the NPS setup be the exact same as when used with ASA/VPN through NPS/MFA? If they are the same and can use the same policy, It may be a little easier to find documentation on the VPN setup.

Thank you,

Mark

Wanted to follow-up that I did get this working and wanted to add something that I was unable to find online. The examples I found online for device CLI MFA showed RADIUS configured on the device to ISE and then NPS /extension as RADIUS token server on ISE. You can use TACACS from device to ISE and RADIUS from ISE to NPS server. This is how I did it for device CLI MFA. It saved a lot of config changes on the Cisco devices.

Hello @MARK BAKER 

Do have a good guide you followed to setup ISE > NPS/AzureMFA? (aka Token Server)

I need to integrate AzureMFA with AnyConnect VPN but using a FirePower devices, not an ASA, so direct AuthZ to AzureMFA is not possible.

ISE

---

@paul wrote:
It should be the same. At the end of the day it is just RADIUS calls into NPS. You can match on different RADIUS attributes in NPS if you want to build different policies. If you are ultimately going to go against ISE I would recommend keeping your NPS policy as generic as possible. Basically just have it run the MFA process. All the AD group checking stuff can occur in ISE.

---

RADIUS Token Server Supported Authentication Protocols

ISE Radius token with NPS solution only supported PAP protocol (ISE 2.4). Do you know if MSCHAPv2 protocol is now supported by ISE?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01101.html