seems that MFA server is no longer supported:

As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

The poster is using Azure MFA as stated in his original post.

Of course, 

I would like to ask if you are using NPS with Azure MFA agent or Azure MFA server (which I read is going out of support).

In any way what is your experience? with Azure MFA through ISE do you authenticate using RADIUS only or do you need to enable SAML?

Also in such scenario if you can apply any type or additional condition like location rules from the originating user.

Thanks

Thank you Marius,

I believe that the VPN configuration would be the same on FTD as on the ASA, but I was told we need the "secondary authentication" function for MFA to work which is available in version 6.4. (See screenshot below)

But now I am thinking it might only be necessary in cases where there is no ISE server available. 

Hello @Chess Norris - did you ever get this implemented? I am also looking to integrate Azure MFA with AnyConnect and FTD. I also have an ISE server, but I don't think ISE can work with AzureMFA/SAML yet.

No success yet. I have just created a TAC case, but I am not too optimistic. Looks like DUO is the way to go.

@cfitzgerald  We were able to get it to work finally. I was not involved in the NPS configuration, but the configuration in ISE was quite simple. We already added the NPS server as a "Radius token" in ISE and also created the authentication and authorization policy that matched the correct tunnel-group from FTD.

What we missed, was to add the radius token (NPS) server as an Identity Source Sequence in the All_User_ID_Store. After doing so, everything started to work.

/Chess

Can you apply geolocation rules for authentication in Azure MFA?

Are you using Azure plugin in NPS?

You should be able to add a geolocation rule if you want to block certain countrys for accessing the VPN portal or connect via Anyconnect. 

I am not sure what they used on the Azure side. I was not part of that configuration.

/Chess

The Geolocation rule feature in FTD is not available for use with traffic TO the firewall, only traffic THROUGH the firewall.

If the MFA solution has a Geolocation feature that can be used for this sort of protection.

I believe is Azure, that's done has described here:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

For those using Duo MFA, it also has this feature.

Hi @Chess Norris ,

Can you please specify if you used an on-premise NPS server or the NPS extension for Azure AD on cloud? I'm trying to prepare a testing environment for AnyConnect access with FTD using ISE and Microsoft Azure MFA on-cloud but i was not able to find any document about it.

Thanks in advance,

Alessandro

You have to use an on-prem NPS server with the Azure MFA extension installed on it.

Thanks,

i found some documents about this type of implementation, i'll test in the next days to see if it works!

Regards,