cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Multi-Factor Authentication with ISE.pdf

18469
Views
14
Helpful
8
Comments

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.

Comments
Beginner
Does this only work with the on-premis or Cloud Azure service directly? We have a use case where we are using NPS to connect to Azure, and I can't figure out how to make this work in that instance.
Beginner

I have followed this guide, but Azure MFA is still not functioning with ISE. When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately. 

Beginner
I just came across this after finally getting 2FA to work with ISE and PingID. Here is the issue I am being asked to try and figure out. If the user has the application and does not swipe up in time you can see the one time code, can I get the VPN session to prompt for that code if the application swipe does not happen in a set amount of time? When I use TACACS with this solution and I do not swipe up in time, I can open the app and get the code and it is accepted. I just never get this prompt on VPN and I am unsure how or what to do in order to get this prompt.
Beginner

@McDVOICE wrote:

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.


When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately. 

Beginner

We use the MFA on-prem we are moving to a off-prem server.  I have not tested it yet but we have a direct connection to where the off-prem is going to be.  

We do not use TACACS for device access, I have found that with this configuration it does not work.  I have not had time to work on that part. 

With Anyconnect if you use codes the ASA will ask for a code as well as Cisco devices that are being accessed with multifactor as long as you are using RADIUS and PAP_ASCII, in the ISE documentation the last time I looked MSCHAP V2 does not support an external radius server.

 

I am going to change the email address I use for these because it is an older one.  If you guys could show me how you have your MFA server configured and what protocol you are using (TACACS or RADIUS) that may help.  I will take that info and update the document.  

Beginner

Hi Richard,

 

Have you managed to test integration of ISE and Cloud Azure MFA? We have a solution we would like to test and it involves ASA, ISE 2.4, Anyconnect and Cloud Azure.

 

Thanks

Beginner

Hi tebogo pholo1, We currently use an on prem MFA. We are moving to a Cloud Azure MFA but we have a direct connect so it should just be us pointing to the new server IPs.  Our cloud MFA server is going to be built just like our on prem MFA server.  When we do make that change I can update this and let you know how it went.  We were going to test it before the whole Covid 19 thing.  The way I test the MFA servers is with a test ISE appliance and some other devices like an ASA or switch and have it directly to the MFA server.

Beginner

@Richard Lucht wrote:

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.


Hi Richard,

 

Have you tested your ISE with cloud Azure MFA yet?  we're also investigating this setting.  However, Cisco rep told us that ISE can't send 2nd authentication request to Cloud Azure MFA.  look forward to your response.

 

Thanks,

Vanessa