cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3895
Views
0
Helpful
5
Replies

ASA + Anyconnect to Azure AD per group access control (without ISE)

Carlos T
Level 1
Level 1

Hi, 

 

Checked many documents videos about Anyconnect + ASA to Azure AD SAML MFA Authentication, and they are focused on the authentication part, but not much about the access-control or authorization after the user/group is authenticated.

 

Can someone help/guide what will be the correct config changes on the ASA and Azure AD to follow a correct migration based on the actual access-control policies we have in place after the user is authenticated?

 

Actual scenario:

We want to migrate the  ASA Anyconnect + on premise AD solution, to the Azure AD SAML.

At the moment the on premise AD have 2 groups: "Sales" and "Finance".

The ASA is configured with 2 tunnel groups "Sales" and "Finance" (matching the On premise AD groups).

The ASA is configured with 2 vpn filters (ACLs) controlling what networks are permitted from "Sales" authenticated users, and which networks are permitted from "Finance" authenticated users (from the AD groups).

 

 

The plan is to replace On premise AD with the Azure AD, but keeping the same policies of per Azure AD group access-control by use of VPN filters on multiple tunnel groups.

 

The integration of the ASA to the Azure AD is very simple and clear and is explained here, and it works fine, but the example is only showing a single tunnel-group:

https://community.cisco.com/t5/security-documents/anyconnect-azure-ad-saml-sso/ta-p/3810013

 

If we want to keep multiple tunnel groups (each calling different group-policies/vpn filters) for the multiple Azure AD groups, Is it that we have to add multiple URL entries (one per tunnel group), so on the Azure AD do we need to add the Identifier twice? URL1 for Profile A (tunnel group A - Sales), and URL2 for Profile B (Tunnel group B - Finance)? I think Azure only allows one identifier per application (couldnt test this at the moment).

 

This is my understanding of the 2 URLs that may be needed to be configured on the Azure AD for the 2 tunnel groups:

my.asa.com = the address at which my ASA is reachable

AC-SAML is the tunnel group name configured for SAML auth.

 

 

SP Metadata:

https://my.asa.com/saml/sp/metadata/Sales (Also your Entity ID - Azure App Section 1)

https://my.asa.com/saml/sp/metadata/Finance (Also your Entity ID - Azure App Section 1)

 

 

Thanks,

CT

2 Accepted Solutions

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Carlos T,

Yes, for multiple tunnel groups you'll need to add multiple applications (2 of them in your case) on Azure side as well. Please take a look at this post, to save some time about certificates used for Azure integration.

BR,

Milos

View solution in original post

Hi Carlos,

Yes, that is right. This is not the restriction introduced by ASA, bur rather on architecture itself. Azure needs to know where to send token back, and if you have multiple Reply URLs configured, Azure wouldn't know where to return the proper one. I already tried this last year with one of my customers, and we came to a conclusion that it doesn't work if we enter multiple Reply URLs under the same application (although you do have option to do so).

As per my best knowledge, it is not possible to have one application for multiple ASAs/tunnel-groups.

BR,

Milos

View solution in original post

5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Carlos T,

Yes, for multiple tunnel groups you'll need to add multiple applications (2 of them in your case) on Azure side as well. Please take a look at this post, to save some time about certificates used for Azure integration.

BR,

Milos

Carlos T
Level 1
Level 1

Thanks Milos for your help!

 

So if we have 200 Azure AD groups (200 ASA tunnel groups), then we need 200 Applications on Azure? Is this correct and they way for scaling?

 

Is not possible to have a single App for all the AD groups/Tunnel groups?

 

I will try to test it soon as soon as I have the resources available

 

Thanks,

CT

Hi Carlos,

Yes, that is right. This is not the restriction introduced by ASA, bur rather on architecture itself. Azure needs to know where to send token back, and if you have multiple Reply URLs configured, Azure wouldn't know where to return the proper one. I already tried this last year with one of my customers, and we came to a conclusion that it doesn't work if we enter multiple Reply URLs under the same application (although you do have option to do so).

As per my best knowledge, it is not possible to have one application for multiple ASAs/tunnel-groups.

BR,

Milos

Hi Milos,

 

Tested the solution and works fine.

 

Thank you!

CT

DIANNE DUNLAP
Level 1
Level 1

We do have this working in the lab with multiple tunnel groups - the certificate business was tricky but instructions are at https://docs.google.com/document/d/10lfDCcEawWu5_T66V70r9IUr1s2suSQLkqDaX1y3b8w/edit?usp=sharing

 

Review Cisco Networking for a $25 gift card