Purpose of this article is to share our remote-working experience where we were able to successfully setup an AnyConnect VPN configuration for remote worker using corporate laptop authenticated via machine certificate, Active Directory login and password and Microsoft Azure MFA via Microsoft Authenticator.
I would like to thank all of my colleagues that helped in solving that architecture : Alain TREMBLAY, Benjamin HUBERT, Robert NELTA, Bertrand NGALO, and Roland NGUYEN MANH our NPS and Azure guru. I would like also to thank Eduardo CRUZ from our Cisco CX team who pointed out especially the appropriate AnyConnect parameters.
First, we will focus on the FTD part (6.6.1 in our case) on the FMC (6.6.1 also).
Once in the Remote Access policy, create a new Connection Profile. Because we wanted to use an external DHCP server (and not an internal pool) we setup the bottom part with our Infoblox IPAM servers (already created in the object management tab) :
In the second tab, we select Client Certficate + AAA (this assumes that the Certificate Authority used to sign the AnyConnect enabled devices is already loaded into the FMC) :
Do not forget to set the alias (the URL) of the Connection Profile :
Then we need to setup the Group Policy. Be careful of the Group Policy name because this name will be re-used in the ISE configuration :
No adresse pool configuration here because we rely on the Infoblox external DHCP server :
Only the default domain is mandatory :
In our case even if the Cisco AnyConnect VPN client profile is pushed via GPO, we force the use of the appropriate XML file via the Group Policy AnyConnect Profile feature :
We also use a Advanced > Traffic filter > ACL because we want to enable NetBIOS (at a later time) filtering :
Now the ISE part. We use in our case 2 x Windows 2019 servers configured with the NPS role and enabled with NPS Extension. So we are going to configure them as Radius Proxy :
After External RADIUS Servers are listed, we create a RADIUS Server Sequence :
The most important part here is :
the "NAS-ID" attribute sent to the NPS servers (which will be reused to filter on the NPS side)
the attributes added before accept-accept is sent back to FTD :
CVPN3000/ASA/PIX7x-DHCP-Network-Scope 10.x.y.0 which is the scope where the AnyConnect client has to request an IP
We were quite confident that the Primary and Secondary DNS servers where not necessary here, but if we remove the attributes, the result is a non-working condition.
With that incredible bug, once the Radius Server Sequence is setup, if you touch it, it does not work anymore (and it is very difficult to find out why). We found that bug during a night when we were almost sleeping over our keyboards and we said to joke : "dude maybe this is an ISE bug" ... we went through bug search tool, and, we found one
Once we are done, create a Policy Set with the appropriate Group Policy as filter and the Radius Server Sequence :
Now the NPS part :
In our setup we filter also users members of a group being able to access VPN. The NAS ID used in the CONDITIONS is the NAS ID parameter we set in the Radius Server Sequence advanced tab :
Regarding authentication methods it seems we could only select the first but if we do that, it is not working, so we clicked on selected boxes :
To make a complete document, here are some tricks for the AnyConnect VPN :
we use MACHINE Windows Certificate store and SYSTEM MacOS Certificate Store
it is MANDATORY to use Certificate Store Override because AnyConnect runs in an unprivileged user mode and needs to access the Machine Personal Certificate Store (where the auto-enroll certificate GPO pushed the certificate) ; if you do not click override, it does not work
And thanks to Eduardo, we had to edit the XML file to set the "AutomaticCertSelection" to TRUE so for the end user experience it is much better (machine certificate is selected without prompting the user to select the certificate) ; so the user has only the login/password prompt, followed by the MFA prompt on his iPhone :