cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
146
Views
0
Helpful
2
Replies
Beginner

VPN o365 MFA authntictaion with Cisco ISE

Dear All,

 

Looking for help for the below scenario. 

 

We have a Cisco ISE setup to authenticate VPN users and trying to do compliance check with Posture assessment. Based on the posture status VPN user will receive an authorization profile.  We also want to do the o365 MFA for VPN users. 

 

1. Is it supported by Cisco ISE? if yes how can we achieve the same?

2. Is my understanding correct on , Cisco ISE will not check the posture until the radius session is being maintained on ISE. Means without sending the authentication request to ISE, posture, and Enforcement is not possible?

3. What is the best way to achieve the MFA with ISE for VPN users/

 

Thanks a lot in Advance.

 

Regards,

MD

 

2 REPLIES 2
Highlighted
VIP Advisor

Re: VPN o365 MFA authntictaion with Cisco ISE

personally, suggest the below method :

 

https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231

BB
*** Rate All Helpful Responses ***
Cisco Employee

Re: VPN o365 MFA authntictaion with Cisco ISE

1 & 3: I would suggest to configure it for SAML auth with the ASA as the SP. See AnyConnect: Azure AD SAML SSO - Cisco Community and then configure ASA to perform authorize-only to ISE

 If using RADIUS, Azure is no longer supporting on-prem MFA server so you would need NPS. Deploy cloud-based MFA

2: You are correct on this.