Re: MFA for Cisco AnyConnect VPN with Microsoft Azure

TAC-itsupport · ‎12-06-2024

I am trying to set up MFA for Cisco AnyConnect VPN with Microsoft Azure. However, when I download the certificate from Microsoft and import it into the ASA, and use the command:

crypto ca trustpoint AzureAD-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check
crypto ca authenticate AzureAD-SAML

-----BEGIN CERTIFICATE-----

****

-----END CERTIFICATE-----

quit

webvpn

saml idp https://******
url sign-in https://******
url sign-out https://*****
trustpoint idp AzureAD-SAML
trustpoint sp ASA-EXTERNAL-CERT
no force re-authentication
no signature
base-url https://*****

tunnel-group AnyConnectVPN-1 webvpn-attributes
saml identity-provider https://********
authentication saml
end

our users are still being authenticated via the local AAA user group instead of SAML. When I check the AnyConnect profile on the ASA, the authentication method is set to SAML, but the AAA server group is still set to 'local,' and there is no option to select SAML. In the AAA server group configuration, I only see 'ISE-RADIUS' and 'local.'

My question is: how can I add the SAML authentication method or configure SAML as a AAA server group?

Thank you

Marvin Rhoads · ‎12-06-2024

Check and verify that the connection profile (tunnel-group and group-policy) being used by your users match the ones you expect. Most often, the symptom you describe comes form users hitting the wrong one of those.

TAC-itsupport · ‎12-06-2024

Thank you, Marvin. Yes, the tunnel-group is correct. I've created a test tunnel group and assigned a test user to this group with the correct group policy. However, our users are currently using a different tunnel-group, and I just want to set up MFA before migrating all users to this new profile and policy.