Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14768
Views
5
Helpful
8
Replies

SSO auth for Anyconnect using ISE SAML identity integration

Go to solution
Jonathan Marshall
Cisco Employee
Cisco Employee

‎08-09-2017 06:04 AM

Hi all,

Our current deployment: We currently authenticate our AnyConenct users using ISE local accounts via RADIUS.

My question: Is it possible to use SSO integration on the ISE for anyconnect authentication?

The deployment would ideally look like this:

AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)


There are ISE guides for network authentication using a portal however not for anyconnect.

Appreciate any help on this.

Thanks

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-09-2017 06:38 AM

This is on asa and AnyConnect not ise

Please look at saml in the guide

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to tim.bolden

‎07-18-2018 06:21 PM

As Jason said earlier, it's not possible to do [AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)].

Instead, it would be:

AnyConnect -> ASA -> SAML IdP

                           +----> ISE (could be authorized only).

The configuration would be similar to what discussed in VPN certificate auth using ISE?

View solution in original post

8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-09-2017 06:38 AM

This is on asa and AnyConnect not ise

Please look at saml in the guide

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html

0 Helpful

Go to solution
Jonathan Marshall
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎08-09-2017 06:46 AM

Thought that may be the case. Thanks

0 Helpful

Go to solution
tim.bolden
Level 1
Level 1

‎07-18-2018 04:39 AM

Looking to do this as well: AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO). Did you get it working and/or find documentation?


Thanks.

0 Helpful

Go to solution
Jonathan Marshall
Cisco Employee
Cisco Employee
In response to tim.bolden

‎07-18-2018 05:20 AM

Hi Tim sorry we didn't get any further with this, we just kept our current deployment with local accounts on ISE.

I am also unsure if you can use SAML auth with a non mobile, client based Anyconnect if you were to go down the ASA route that Jason mentioned..

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to tim.bolden

‎07-18-2018 06:21 PM

As Jason said earlier, it's not possible to do [AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)].

Instead, it would be:

AnyConnect -> ASA -> SAML IdP

                           +----> ISE (could be authorized only).

The configuration would be similar to what discussed in VPN certificate auth using ISE?

Go to solution
Antonio Macia
Level 3
Level 3
In response to tim.bolden

‎08-06-2018 11:54 PM

This is possible with Azure AD. But as the colleagues mention, only AnyConnect -> ASA.

If you have multiple factor authentication activated in Azure you can leverage this for your VPN connections when using SAML.

0 Helpful

Go to solution
network.admin
Level 1
Level 1
In response to Antonio Macia

‎08-15-2018 01:02 PM

You could do the same with ADFS. You could add MFA to the SAML workflow in ADFS then, as has been stated, your authentication would be AnyConnect > ASA > ADFS (with MFA prompting). I think that would work.

 

I'm working on similar stuff and I use ISE as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents