This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi all,
Our current deployment: We currently authenticate our AnyConenct users using ISE local accounts via RADIUS.
My question: Is it possible to use SSO integration on the ISE for anyconnect authentication?
The deployment would ideally look like this:
AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)
There are ISE guides for network authentication using a portal however not for anyconnect.
Appreciate any help on this.
Thanks
Solved! Go to Solution.
This is on asa and AnyConnect not ise
Please look at saml in the guide
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html
As Jason said earlier, it's not possible to do [AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)].
Instead, it would be:
AnyConnect -> ASA -> SAML IdP
+----> ISE (could be authorized only).
The configuration would be similar to what discussed in VPN certificate auth using ISE?
This is on asa and AnyConnect not ise
Please look at saml in the guide
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html
Thought that may be the case. Thanks
Looking to do this as well: AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO). Did you get it working and/or find documentation?
Thanks.
Hi Tim sorry we didn't get any further with this, we just kept our current deployment with local accounts on ISE.
I am also unsure if you can use SAML auth with a non mobile, client based Anyconnect if you were to go down the ASA route that Jason mentioned..
As Jason said earlier, it's not possible to do [AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)].
Instead, it would be:
AnyConnect -> ASA -> SAML IdP
+----> ISE (could be authorized only).
The configuration would be similar to what discussed in VPN certificate auth using ISE?
This is possible with Azure AD. But as the colleagues mention, only AnyConnect -> ASA.
If you have multiple factor authentication activated in Azure you can leverage this for your VPN connections when using SAML.
You could do the same with ADFS. You could add MFA to the SAML workflow in ADFS then, as has been stated, your authentication would be AnyConnect > ASA > ADFS (with MFA prompting). I think that would work.
I'm working on similar stuff and I use ISE as well.