ISE VPN with AD auth and Microsoft authenticator as second factor?

mtar · ‎06-10-2024

Hello!

Our management wants to implement a Microsoft Authenticator based second factor to our ISE vpn.

Now we are using the ISE (FTD) vpn with only on-prem AD auth, and my question is how can we implement this Microsoft (Azure) Authenticator?

Is there a guide somewhere?

Thanks!

ahollifield · ‎06-10-2024

SAML to Entra ID/MS? ISE as authorize-only? Or use SAML assertion from Entra and not use ISE at all here.

mtar · ‎06-11-2024

I think I dont understand your suggestions. We should use Entra ID as auth source instead of on-prem AD?

And what is SAML assertion from Entra ID? In this case what will ISE do?

ahollifield · ‎06-11-2024

Yes, all authentication will go to Entra. You configure SAML auth directly on the headend.

With SAML assertion Entra can respond to the headend with a group policy name to place the client into the proper group on the headend. ISE doesn’t do anything in this use-case and is not needed. It’s a very clean and simple setup.

mtar · ‎06-11-2024

It sounds like an on-prem AD replacement, but what we need is a Second Factor, like a push notification or an OTP message during tha authentication. The AD would be the 1st and the Microsoft Authtenticator method the 2nd factor.

I dont see this in your suggestion.

ahollifield · ‎06-11-2024

Are you not planning hybrid joined? If you insist on on-prem AD….. then you need to send authc to NPS on-prem which will relay MFA. You can then also use ISE as authorize-only.

Marvin Rhoads · ‎06-11-2024

Like Adam is saying, directly to Entra ID via SAML with MFA setup there is the cleanest authentication with MFA experience. ISE can then do Authorization and Accounting.

If you use on-premise AD with sync to Entra ID and want to continue with that (no immediate good reason why comes to mind) then you can do authentication to NPS with cloud connector, either directly from FTD or via ISE with NPS as an external RADIUS server in that case. Those are all a lot more fragile and more difficult to troubleshoot.

mtar · ‎06-12-2024

Okay. In that case the Authentication part must be configured on the Headend (Firepower), right?

The ISE config would not be changed at all?

ahollifield · ‎06-12-2024

Depends, do you want to? Are you using Posture? Have any other use-cases?

mtar · ‎06-13-2024

This sounds promising for us! If we want to use Entra ID as Authentication source, and then ISE as Authorization, how would the flow look like?

Tha Etra ID is configured on the Firepower Headend and after successful auth the authorization would be handled by the ISE?

How?

Thank

ahollifield · ‎06-13-2024

Yup correct. You enable the AAA group for ISE as authorize-only. Then write your authz rules on ISE like normal.

I would question do you actually need ISE though? What are the use-cases in this scenario? If it’s just group policy assignment I would argue you should do that with SAML assertion and not even involve ISE. If you wish to use dACLs, Posture, etc then of course ISE is needed

mtar · ‎06-13-2024

But in the ISE Policy what would be the auth source in that case?

Because it is handled by the Firepower.

ahollifield · ‎06-13-2024

https://community.cisco.com/t5/network-access-control/radius-authorization-only-for-client-vpn/td-p/3433218

mtar · ‎06-14-2024

Thank you! It is working!

Tho no configuration change was need on the ISE side, it could handle the only-authorization sessions by default.

Just the Firepower config change was required.

THX