Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
44580
Views
11
Helpful
18
Replies

ISE using Azure MFA and AD

Go to solution
imsheikh
Cisco Employee
Cisco Employee

‎02-01-2017 11:34 AM

Are there any white papers on configuration VPN Authorization in ISE using Azure MFA and AD?

2 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to imsheikh

‎02-02-2017 11:30 AM

Hi,

You can find information on ISE and Anyconnect design guides.

ISE Design & Integration Guides

With related to MFA, ISE support RSA secure ID, Radius token. You can also use an external server such as Symatec VIP with guest portal. You can look at the integration with Symantec for that from the design guide above.

ISE is supporting Azure AD with MFA for SAML 2.0 SSO at ISE end-user-facing webauth portals if the primary auth is form-auth authentication.

Now, ASA supports MFA with two different identity sources for authentication, you can use ISE as authorization only in such cases.

Thanks

Krishnan

View solution in original post

0 Helpful
18 Replies 18

Go to solution
imsheikh
Cisco Employee
Cisco Employee

‎02-01-2017 12:14 PM

if nothing for MFA how about whitepaper about using ISE for Anyconnect VPN authentication without MFA?

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to imsheikh

‎02-02-2017 11:30 AM

Hi,

You can find information on ISE and Anyconnect design guides.

ISE Design & Integration Guides

With related to MFA, ISE support RSA secure ID, Radius token. You can also use an external server such as Symatec VIP with guest portal. You can look at the integration with Symantec for that from the design guide above.

ISE is supporting Azure AD with MFA for SAML 2.0 SSO at ISE end-user-facing webauth portals if the primary auth is form-auth authentication.

Now, ASA supports MFA with two different identity sources for authentication, you can use ISE as authorization only in such cases.

Thanks

Krishnan

0 Helpful

Go to solution
Richard Lucht
Level 1
Level 1
In response to imsheikh

‎01-12-2018 06:37 AM

Hi imsheikh,


I was working on the same thing it looks like you are trying to do.  We just set up an Azure MFA server to set up multi-factor for VPN and I also found that it works quite nice with accessing network devices.  Since the MFA server is on-prem and uses our AD I used the Azure server as an external radius token server in ISE.  The Azure server is now the Identity store I use in the Authentication Policy then, of course, AD groups for the Authorization policies.  I found the results to work just as we needed.  I did not have to set up the second authentication on the ASA.  Using the MFA as the Authentication Policy identity store now when we log into Cisco gear or the VPN we can use either a token or a push notification.  It is a little overkill for access to network gear but being a government organization we had a requirement for that.  it works much like the DUO Auth Proxy.

Go to solution
MARK BAKER
Level 4
Level 4
In response to Richard Lucht

‎09-11-2019 01:19 PM

Hi Richard,

Do you have the NPS w/ extension config that worked with ISE integration? I am attempting to setup ISE to NPS Azure MFA for device access like you have done by using RADIUS token server on ISE. I appreciate any assistance you can provide.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to MARK BAKER

‎09-11-2019 01:41 PM

If you have your NPS server correctly working with Azure MFA, i.e. you can point VPN auth directly at NPS server and perform Azure MFA then you should be able to define the NPS server as an external RADIUS token server in ISE, ensure the ISE IPs are defined as RADIUS client on the NPS server and point VPN authentication to ISE.

 

Have you tried this and it isn't working?

0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to paul

‎09-11-2019 01:46 PM

Paul,

 

Doing device CLI login -> ISE -> NPS/AzureMFA as a first deployment. Would the NPS setup be the exact same as when used with ASA/VPN through NPS/MFA? If they are the same and can use the same policy, It may be a little easier to find documentation on the VPN setup.

 

Thank you,

Mark

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to MARK BAKER

‎09-11-2019 01:55 PM

It should be the same. At the end of the day it is just RADIUS calls into NPS. You can match on different RADIUS attributes in NPS if you want to build different policies. If you are ultimately going to go against ISE I would recommend keeping your NPS policy as generic as possible. Basically just have it run the MFA process. All the AD group checking stuff can occur in ISE.


0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to paul

‎02-26-2020 01:21 PM

Wanted to follow-up that I did get this working and wanted to add something that I was unable to find online. The examples I found online for device CLI MFA showed RADIUS configured on the device to ISE and then NPS /extension as RADIUS token server on ISE. You can use TACACS from device to ISE and RADIUS from ISE to NPS server. This is how I did it for device CLI MFA. It saved a lot of config changes on the Cisco devices.

0 Helpful

Go to solution
cfitzgerald
Level 1
Level 1
In response to MARK BAKER

‎07-06-2020 02:22 PM

Hello @MARK BAKER 

Do have a good guide you followed to setup ISE > NPS/AzureMFA? (aka Token Server)

I need to integrate AzureMFA with AnyConnect VPN but using a FirePower devices, not an ASA, so direct AuthZ to AzureMFA is not possible.

0 Helpful

Go to solution
chacy2000
Level 1
Level 1
In response to cfitzgerald

‎07-07-2020 03:11 PM

New ZixCorp secure email message from Beacon Health Options

To view the secure message, click on the link below or copy and paste the link into your Internet browser address bar.

https://securemail-valueoptions.com/s/e?m=ABAaA5qVYKNGKd0VJGIvh5jp&c=ABCuAEoOylrg13RyZzJuX4Xf&em=ciscosupport%2eprod%7c914b1085%7cd159a44c%2dbfe0%2d4c39%2db348%2d3283c55c7cc2%40reply01%2elithium%2ecom

You are reading the plaintext version of this message. For a better user experience, change your email settings to enable the viewing of HTML.

Do not reply to this notification message; this message was auto-generated by the sender's security system. To reply to the sender, click on the link above.

The secure message expires on Jul 07, 2021 @ 10:11 PM (GMT).

Want to send and receive secure email messages transparently? http://www.zixcorp.com/info/zixmail_ZMC
0 Helpful

Go to solution
chacy2000
Level 1
Level 1
In response to cfitzgerald

‎07-07-2020 03:22 PM

The gateway type used shouldn’t matter-in my case ASA -only communicates (radius) with ISE . Below is my design diagram. Use NPS (ISE token server) for your Identity source (typically this is AD) for authentication policy. I used a similar setup guide as the attached. https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/4561-docs-security/5748/1/Multi-Factor%20Authentication%20with%20ISE.pdf My design diagram image.png
0 Helpful

Go to solution
bhatel
Level 1
Level 1
In response to MARK BAKER

‎10-26-2021 07:46 AM

 

@Baker

Hey, do you have any documentation for how you implemented TACACS between network device and ISE & RADIUS between ISE and AZ MFA. Any help would be appreciated.

Thanks

 

0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to bhatel

‎10-26-2021 01:20 PM

@bhatel 

 

See if this helps. I don't recall where I got this online, but it was provided by Richard Lucht. You might be able to find the file location and possibly more info by searching "Azure MFA Richard Lucht". I just used TACACS instead of RADIUS between the router/firewall and ISE. I may have used this in combination with other online info.

Preview file
485 KB
0 Helpful
Customers Also Viewed These Support Documents