05-14-2020 12:42 AM - edited 05-14-2020 01:08 AM
Hi,
I am planing to implement a MFA solution using Microsoft Azure Cloud and so far most of the Cisco guides using DUO as an example and I have not find a good guide for setting it up with Azure MFA.
The components we are using are.
FTD for AWS 6.4
ISE 2.4
Anyconnect 4.6
Microsoft AD + Azure Cloud MFA
Has anyone set up a solution using similar components and can point me to a guide?
FTD as the option "Use secondary authentication", but if I put the Azure MFA as secondary authentication server, would that mean ISE will be bypassed? I would still like to use ISE for logging purpose.
Best regards
/Chess
Solved! Go to Solution.
05-14-2020 11:44 AM
I have set this up (at least the Cisco side of things) using ASA.
ASA has ISE as authentication server and in ISE set up an External Identity source (Radius Token). Other than that the configuration of AnyConnect is different on FTD I assume that the functionality, or how it works, is the same. On ASA at least there is no special configuration needed to get MFA to work. The popup window to enter the MFA code comes automatically when ISE requests additional authentication from the ASA.
But you are correct that there is not much easily findable documentation regarding this scenario with FTD.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn
05-14-2020 11:44 AM
I have set this up (at least the Cisco side of things) using ASA.
ASA has ISE as authentication server and in ISE set up an External Identity source (Radius Token). Other than that the configuration of AnyConnect is different on FTD I assume that the functionality, or how it works, is the same. On ASA at least there is no special configuration needed to get MFA to work. The popup window to enter the MFA code comes automatically when ISE requests additional authentication from the ASA.
But you are correct that there is not much easily findable documentation regarding this scenario with FTD.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn
05-14-2020 11:49 AM
seems that MFA server is no longer supported:
As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
05-14-2020 12:57 PM
The poster is using Azure MFA as stated in his original post.
05-14-2020 01:13 PM
Of course,
I would like to ask if you are using NPS with Azure MFA agent or Azure MFA server (which I read is going out of support).
In any way what is your experience? with Azure MFA through ISE do you authenticate using RADIUS only or do you need to enable SAML?
Also in such scenario if you can apply any type or additional condition like location rules from the originating user.
Thanks
05-14-2020 11:41 PM - edited 05-14-2020 11:44 PM
Thank you Marius,
I believe that the VPN configuration would be the same on FTD as on the ASA, but I was told we need the "secondary authentication" function for MFA to work which is available in version 6.4. (See screenshot below)
But now I am thinking it might only be necessary in cases where there is no ISE server available.
07-06-2020 01:58 PM
Hello @Chess Norris - did you ever get this implemented? I am also looking to integrate Azure MFA with AnyConnect and FTD. I also have an ISE server, but I don't think ISE can work with AzureMFA/SAML yet.
07-07-2020 05:29 AM - edited 07-15-2020 05:34 AM
No success yet. I have just created a TAC case, but I am not too optimistic. Looks like DUO is the way to go.
07-15-2020 05:35 AM
@cfitzgerald We were able to get it to work finally. I was not involved in the NPS configuration, but the configuration in ISE was quite simple. We already added the NPS server as a "Radius token" in ISE and also created the authentication and authorization policy that matched the correct tunnel-group from FTD.
What we missed, was to add the radius token (NPS) server as an Identity Source Sequence in the All_User_ID_Store. After doing so, everything started to work.
/Chess
07-15-2020 06:26 AM
Can you apply geolocation rules for authentication in Azure MFA?
Are you using Azure plugin in NPS?
07-16-2020 04:39 AM - edited 07-16-2020 04:42 AM
You should be able to add a geolocation rule if you want to block certain countrys for accessing the VPN portal or connect via Anyconnect.
I am not sure what they used on the Azure side. I was not part of that configuration.
/Chess
07-16-2020 12:16 PM
The Geolocation rule feature in FTD is not available for use with traffic TO the firewall, only traffic THROUGH the firewall.
If the MFA solution has a Geolocation feature that can be used for this sort of protection.
I believe is Azure, that's done has described here:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
For those using Duo MFA, it also has this feature.
10-26-2020 09:15 AM
Hi @Chess Norris ,
Can you please specify if you used an on-premise NPS server or the NPS extension for Azure AD on cloud? I'm trying to prepare a testing environment for AnyConnect access with FTD using ISE and Microsoft Azure MFA on-cloud but i was not able to find any document about it.
Thanks in advance,
Alessandro
10-26-2020 09:47 AM
You have to use an on-prem NPS server with the Azure MFA extension installed on it.
10-27-2020 06:58 AM
Thanks,
i found some documents about this type of implementation, i'll test in the next days to see if it works!
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide