Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
2
Replies

VPN o365 MFA authntictaion with Cisco ISE

Go to solution
munish.dhiman1
Level 1
Level 1

‎11-08-2019 03:55 AM

Dear All,

 

Looking for help for the below scenario. 

 

We have a Cisco ISE setup to authenticate VPN users and trying to do compliance check with Posture assessment. Based on the posture status VPN user will receive an authorization profile.  We also want to do the o365 MFA for VPN users. 

 

1. Is it supported by Cisco ISE? if yes how can we achieve the same?

2. Is my understanding correct on , Cisco ISE will not check the posture until the radius session is being maintained on ISE. Means without sending the authentication request to ISE, posture, and Enforcement is not possible?

3. What is the best way to achieve the MFA with ISE for VPN users/

 

Thanks a lot in Advance.

 

Regards,

MD

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-11-2019 12:35 PM - edited ‎11-11-2019 12:36 PM

1 & 3: I would suggest to configure it for SAML auth with the ASA as the SP. See AnyConnect: Azure AD SAML SSO - Cisco Community and then configure ASA to perform authorize-only to ISE

 If using RADIUS, Azure is no longer supporting on-prem MFA server so you would need NPS. Deploy cloud-based MFA

2: You are correct on this.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-08-2019 04:54 AM

personally, suggest the below method :

 

https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-11-2019 12:35 PM - edited ‎11-11-2019 12:36 PM

1 & 3: I would suggest to configure it for SAML auth with the ASA as the SP. See AnyConnect: Azure AD SAML SSO - Cisco Community and then configure ASA to perform authorize-only to ISE

 If using RADIUS, Azure is no longer supporting on-prem MFA server so you would need NPS. Deploy cloud-based MFA

2: You are correct on this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents