ASA + Azure + MFA question

divas80 · ‎09-02-2025

Hello everyone,

I need your advice on integrating Microsoft Authenticator (Azure MFA) with my Cisco Always-On VPN setup.

My current setup:

Cisco ASA with SSL VPN (AnyConnect Secure Client, Always-On enabled)
Cisco ISE for authentication and authorization
Active Directory (DNS, domain domain.de)
Internal CA (certificates issued for users)
Group Policy: AOV (used for SSL VPN clients)
Configuration details (short version):

On ASA:
Connection profile: authentication method = certificate only (Primary field = UPN)
AAA server group = ISE
Address pools, DNS servers, split-tunneling list applied
Always-On enabled, start before logon, auto-reconnect configured

On ISE:
External identity source = AD (domain.de)
Authorization Profile: AOV → ASA VPN group policy = AOV
Policy Set: conditions = ASA as network device + Tunnel Group = AOV
Authentication protocols allowed: PAP, MSCHAPv2
So far, authentication works fine with AD + certificates.

What I want to add:
Second factor authentication with Microsoft Authenticator (Azure MFA) for Always-On VPN users.

My questions:
What is the recommended way to integrate ASA + ISE with Microsoft MFA?
Should I use Azure MFA NPS Extension (ISE → NPS → Azure MFA)?
Has anyone deployed this in production, and can share best practices?
Keep Always-On VPN (certificate + AD) but enforce MFA with Microsoft Authenticator for the AOV group.

Thanks in advance for your guidance!

ahollifield · ‎09-03-2025

Have you considered using SAML to Entra ID instead of bothering with ISE at all?

balaji.bandi · ‎09-03-2025

we have working solution live

ASA + MFA saml working as expected.

reference :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help