Solved: Firepower Threat Defense with Anyconnect and Azure MFA - Page 2

Chess Norris · ‎05-14-2020

Hi,

I am planing to implement a MFA solution using Microsoft Azure Cloud and so far most of the Cisco guides using DUO as an example and I have not find a good guide for setting it up with Azure MFA.

The components we are using are.

FTD for AWS 6.4

ISE 2.4

Anyconnect 4.6

Microsoft AD + Azure Cloud MFA

Has anyone set up a solution using similar components and can point me to a guide?

FTD as the option "Use secondary authentication", but if I put the Azure MFA as secondary authentication server, would that mean ISE will be bypassed? I would still like to use ISE for logging purpose.

Best regards

/Chess

sysnet_striver · ‎12-07-2020

Hey Chess, we are also going to be attempting the implementation of Azure MFA (we have on premise AD that I have to join/sync with Azure AD) with our Anyconnect vpn and firepower 1120 FTD.

What I am trying to determine is if we have to purchase cisco ISE separately or does our FTD software or underlying firmware on our FP1120 have an embedded ISE server? This is a core component from what I have read.

Also I presume you had to configure a RADIUS sever to communicate with the NPS server - which I think would just be the Anyconnect host, no?

Thanks in advance.

Marvin Rhoads · ‎12-07-2020

@sysnet_striver Cisco ISE is not free. It is a licensed product and runs on its own separate server(s).

cfitzgerald · ‎12-07-2020

@sysnet_striver Cisco ISE is not free. It is a licensed product and runs on its own separate server(s).

You don't need ISE to integrate with Azure MFA. ISE is a RADIUS server, just like Microsoft's NPS server role. You will need an on-prem NPS server with the Azure MFA extension installed.

sysnet_striver · ‎01-05-2021

After learning more about NAC, seems to me that ISE is not a must have as its functionality can be more or less achieved with Anyconnect and RADIUS/NPS server and Azure MFA.

Marvin Rhoads · ‎01-05-2021

Or, as of FTD 6.7, you can just use SAML directly to Azure for Authentication. Only if you want to do additional things with authorization would you need an on-premise solution for an Authorization services (e.g. Microsoft NPS or Cisco ISE).

More to come along this line when FTD 6.8 comes out...

cfitzgerald · ‎01-06-2021

Yes, I was hopeful that FTD 6.7 would simplify our infrastructure with direct SAML support for VPN Auth. However, I have heard that AnyConnect does not support SAML for "Start Before Login". SBL is important for us, so we are going to have to keep NPS with AzureMFA extension.

Also, we need Authorization so we can assign specific Group Policy depending on which user is logging to VPN, so I am working on getting a FTD>ISE>NPS sequence working. (NPS has an Authn limitation in that certain MFA scenarios cannot send back RADIUS AVP pairs to AnyConnect, such as Group Policy).

cfitzgerald · ‎01-06-2021

One thing I will add here is that NPS has a limitation where it does not return any RADIUS attributes to the VPN client under certain MFA scenarios. We need to assign different AnyConnect Group Policies to different users, and this requires returning the "Class(25)" attribute back to the client. So this shortcoming of NPS has meant I am implementing ISE which will act as a "RADIUS Proxy" between the VPN client and NPS for Authentication, and then ISE takes over for Authorization, which works correctly for the attributes.

From https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#determine-which-authentication-methods-your-users-can-use

"if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed. But any RADIUS attributes that are configured in the Network Access Policy are not forwarded to the RADIUS cient (the Network Access Device, like the VPN gateway). As a result, the VPN client might have more access than you want it to have, or less access or no access."

sysnet_striver · ‎01-06-2021

Appreciate the informative notes. We are about to receive a quote for Aruba ClearPass I expect it to be prohibitively expensive, (Cisco ISE being even more so), thus I have to explain to my CTO why a NAC is required, yet trying to determine if it actually is necessary and how I can achieve network device authentication/authorization fortification instead of using a full-fledged NAC solution.

Arne Bier · ‎04-26-2021

I have a customer who is looking to ditch their NPS servers (which are working quite well with the Azure Plugin to allow them to do MFA and AnyConnect etc.) - the question is where ISE should be taken out of the equation and to use SAML auth only on the FTD? If I understand the limitation of doing that, is that the SAML method does not return attributes to the FTD to allow more fine-grained control per user Group? And that is why we'd get ISE into the mix to perform the final Authorization - BUT ... in that case the Authentication piece does not work? I am confused.

Marvin Rhoads · ‎04-27-2021

Arne,

In the remote access VPN connection profile AAA tab, simply make the Authentication server be the Azure iDP and Authorization server be ISE.