cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
1
Replies

Cisco Fire Power and Azure MFA

berket13
Level 1
Level 1

Hi Guys

I am completely new to Cisco Firepower and ISE. I am trying to assist a client with moving from DUO MFA to Azure MFA on Cisco VPN.

 

The customer uses both Cisco Firepower and ISE in the environment.

The question are:

1) Can users be moved to Azure MFA in a phased approach (move certain users to Azure MFA in batches) or is it a hard cutover from DUO to Azure MFA

2) Where does the Azure MFA configuration take place for VPN users? Is it in Firewpower or ISE?

 

Thank you

1 Reply 1

Hi! I'd be happy to help you with your questions regarding the transition from DUO MFA to Azure MFA on Cisco VPN.

1) Yes, you can move users to Azure MFA in a phased approach. You can do this by creating different VPN profiles or connection profiles for different groups of users. One profile would be configured with DUO MFA, and the other profile would be configured with Azure MFA. As you move users in batches, you can simply update their VPN profiles to point to the Azure MFA configuration. This allows for a smooth transition without a hard cutover.

2) The Azure MFA configuration for VPN users can be done in two places, depending on how your customer's environment is set up.

a) If the customer uses ISE as their RADIUS server for authentication, then the Azure MFA configuration would be done in ISE. In this case, you would integrate ISE with Azure MFA using the NPS extension for Azure MFA. Here's a guide on how to integrate ISE with Azure MFA using NPS: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215118-configuring-ise-to-integrate-with-azure.html

b) If the customer uses Firepower Threat Defense (FTD) VPN without ISE, then the Azure MFA configuration would be done in FTD by integrating it with Azure MFA using RADIUS. In this case, you would need to set up a Network Policy Server (NPS) in your environment and then configure the NPS extension for Azure MFA. Once complete, you would point your FTD RADIUS configuration to the NPS server. Here's a guide on how to integrate FTD with Azure MFA using NPS: https://www.51sec.org/2020/03/31/cisco-ftd-azure-mfa-integration/

I hope this helps! If you have any further questions or need more assistance, feel free to ask.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: