cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22389
Views
40
Helpful
24
Replies

Firepower Threat Defense with Anyconnect and Azure MFA

Chess Norris
Level 4
Level 4

Hi,

 

I am planing to implement a MFA solution using Microsoft Azure Cloud and so far most of the Cisco guides using DUO as an example and I have not find a good guide for setting it up with Azure MFA.

The components we are using are.

 

FTD for AWS 6.4

ISE 2.4

Anyconnect 4.6

Microsoft  AD + Azure Cloud MFA 

 

Has anyone set up a solution using similar components and can point me to a guide?

FTD as the option "Use secondary authentication", but if I put the Azure MFA as secondary authentication server, would that mean ISE will be bypassed? I would still like to use ISE for logging purpose. 

 

Best regards

/Chess

 

1 Accepted Solution

Accepted Solutions

I have set this up (at least the Cisco side of things) using ASA. 

ASA has ISE as authentication server and in ISE set up an External Identity source (Radius Token).  Other than that the configuration of AnyConnect is different on FTD I assume that the functionality, or how it works, is the same.  On ASA at least there is no special configuration needed to get MFA to work.  The popup window to enter the MFA code comes automatically when ISE requests additional authentication from the ASA.

But you are correct that there is not much easily findable documentation regarding this scenario with FTD.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

24 Replies 24

I have set this up (at least the Cisco side of things) using ASA. 

ASA has ISE as authentication server and in ISE set up an External Identity source (Radius Token).  Other than that the configuration of AnyConnect is different on FTD I assume that the functionality, or how it works, is the same.  On ASA at least there is no special configuration needed to get MFA to work.  The popup window to enter the MFA code comes automatically when ISE requests additional authentication from the ASA.

But you are correct that there is not much easily findable documentation regarding this scenario with FTD.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn 

--
Please remember to select a correct answer and rate helpful posts

seems that MFA server is no longer supported:

 

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

The poster is using Azure MFA as stated in his original post.

--
Please remember to select a correct answer and rate helpful posts

Of course, 

 

I would like to ask if you are using NPS with Azure MFA agent or Azure MFA server (which I read is going out of support).

 

In any way what is your experience? with Azure MFA through ISE do you authenticate using RADIUS only or do you need to enable SAML?

Also in such scenario if you can apply any type or additional condition like location rules from the originating user.

 

Thanks

Thank you Marius,

 

I believe that the VPN configuration would be the same on FTD as on the ASA, but I was told we need the "secondary authentication" function for MFA to work which is available in version 6.4. (See screenshot below)

But now I am thinking it might only be necessary in cases where there is no ISE server available. 

 

FTD_Seconary_Authentication.JPG

Hello @Chess Norris - did you ever get this implemented? I am also looking to integrate Azure MFA with AnyConnect and FTD. I also have an ISE server, but I don't think ISE can work with AzureMFA/SAML yet.

No success yet. I have just created a TAC case, but I am not too optimistic. Looks like DUO is the way to go.

 

 

@cfitzgerald  We were able to get it to work finally. I was not involved in the NPS configuration, but the configuration in ISE was quite simple. We already added the NPS server as a "Radius token" in ISE and also created the authentication and authorization policy that matched the correct tunnel-group from FTD.

What we missed, was to add the radius token (NPS) server as an Identity Source Sequence in the All_User_ID_Store. After doing so, everything started to work.

 

/Chess

Can you apply geolocation rules for authentication in Azure MFA?

 

Are you using Azure plugin in NPS?

You should be able to add a geolocation rule if you want to block certain countrys for accessing the VPN portal or connect via Anyconnect. 

I am not sure what they used on the Azure side. I was not part of that configuration.

 

/Chess

The Geolocation rule feature in FTD is not available for use with traffic TO the firewall, only traffic THROUGH the firewall.

If the MFA solution has a Geolocation feature that can be used for this sort of protection.

I believe is Azure, that's done has described here:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

For those using Duo MFA, it also has this feature.

Hi @Chess Norris ,

Can you please specify if you used an on-premise NPS server or the NPS extension for Azure AD on cloud? I'm trying to prepare a testing environment for AnyConnect access with FTD using ISE and Microsoft Azure MFA on-cloud but i was not able to find any document about it.

Thanks in advance,

Alessandro

You have to use an on-prem NPS server with the Azure MFA extension installed on it.

Thanks,

i found some documents about this type of implementation, i'll test in the next days to see if it works!

Regards,

Review Cisco Networking for a $25 gift card