cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
48910
Views
15
Helpful
34
Comments
Richard Lucht
Level 1
Level 1

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.

Comments
Steve Talbert
Level 1
Level 1
Does this only work with the on-premis or Cloud Azure service directly? We have a use case where we are using NPS to connect to Azure, and I can't figure out how to make this work in that instance.
LaminadT
Level 1
Level 1

I have followed this guide, but Azure MFA is still not functioning with ISE. When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately. 

jmhouse96
Level 1
Level 1
I just came across this after finally getting 2FA to work with ISE and PingID. Here is the issue I am being asked to try and figure out. If the user has the application and does not swipe up in time you can see the one time code, can I get the VPN session to prompt for that code if the application swipe does not happen in a set amount of time? When I use TACACS with this solution and I do not swipe up in time, I can open the app and get the code and it is accepted. I just never get this prompt on VPN and I am unsure how or what to do in order to get this prompt.
PearlAdkins3
Level 1
Level 1

@McDVOICE wrote:

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.


When the Azure MFA server is removed from the process Authentication and Authorization happen successfully. When the Azure MFA server is part of the process Authentication fails immediately. 

Richard Lucht
Level 1
Level 1

We use the MFA on-prem we are moving to a off-prem server.  I have not tested it yet but we have a direct connection to where the off-prem is going to be.  

We do not use TACACS for device access, I have found that with this configuration it does not work.  I have not had time to work on that part. 

With Anyconnect if you use codes the ASA will ask for a code as well as Cisco devices that are being accessed with multifactor as long as you are using RADIUS and PAP_ASCII, in the ISE documentation the last time I looked MSCHAP V2 does not support an external radius server.

 

I am going to change the email address I use for these because it is an older one.  If you guys could show me how you have your MFA server configured and what protocol you are using (TACACS or RADIUS) that may help.  I will take that info and update the document.  

tebogo.pholo1
Level 1
Level 1

Hi Richard,

 

Have you managed to test integration of ISE and Cloud Azure MFA? We have a solution we would like to test and it involves ASA, ISE 2.4, Anyconnect and Cloud Azure.

 

Thanks

Richard Lucht
Level 1
Level 1

Hi tebogo pholo1, We currently use an on prem MFA. We are moving to a Cloud Azure MFA but we have a direct connect so it should just be us pointing to the new server IPs.  Our cloud MFA server is going to be built just like our on prem MFA server.  When we do make that change I can update this and let you know how it went.  We were going to test it before the whole Covid 19 thing.  The way I test the MFA servers is with a test ISE appliance and some other devices like an ASA or switch and have it directly to the MFA server.

VanessaW
Level 1
Level 1

@Richard Lucht wrote:

Using Microsoft Azure MFA for multifactor authentication within Cisco ISE.


Hi Richard,

 

Have you tested your ISE with cloud Azure MFA yet?  we're also investigating this setting.  However, Cisco rep told us that ISE can't send 2nd authentication request to Cloud Azure MFA.  look forward to your response.

 

Thanks,

Vanessa

Richard Lucht
Level 1
Level 1

We just setup the new cloud Azure connection.  Right now we are going over fail over testing with the 2 servers.  We are experiencing some issues during the fail over.  We are adjusting our timers to see if we can get this to work properly.  I will provided some documentation on the setup.  On the ISE side I just set the servers up as another RADIUS Token Server.

VanessaW
Level 1
Level 1

Hi Richard,

 

Do you have a virtual server at Azure cloud side which does MFA?  Or do you use MFA service at Azure cloud?

 

We're using Azure MFA service, it seems that we can't set up it as another Radius Token server on ISE.

 

Thanks,

Vanessa

suschoud
Cisco Employee
Cisco Employee

Hi @Richard Lucht ,

 

How did you go with Azure cloud MFA? Could you suggest if there are any updates to the provided setps listed in PDF.

Richard Lucht
Level 1
Level 1

Hi @suschoud 

I really need to check my settings here I am not getting emails on comments.  Our testing went well we had to adjust our timers on the ASA and ISE.  We will be moving to the Azure Cloud MFA soon. 

atifsr
Level 1
Level 1

Hi @Richard Lucht , We have a similar situation and want to integrate ISE 2.4 with Microsoft Cloud Azure for 2fa authentication. Did you manage to get this working in your environment? If yes can you please advise how did you get this working

 

 

DMel
Level 1
Level 1

I know this is an older post, but I too am curious about getting Anyconnect connecting to ASA (soon to be FTD/Secure Firewall) authenticating through ISE using Azure Cloud MFA.

Most things I have read up to know say that you configure the ASA to do the actual AzureMFA call, and let ISE do the authorization piece.

Which itself, seems to be ok, however, my concern is that we use ISE-PIC PxGrid to also coordinate user to IP mapping for FMC based URL filtering. So if ISE isn't doing the actual RADIUS authentication for users (in this specific case VPN users) how does ISE/FMC track that mapping?

Richard Lucht
Level 1
Level 1

Ok so my only experience with what you are trying to achieve is that the authentication in ISE will handle the multifactor.  I kept it off the ASA.  

I did integrate FortiManager to ISE using PXGrid and then associate the user to a SGT.  Those tags then can be populated in the FortiManager to tie usernames to IPs.  That is where we could use those tags as source rules in the FortiManager instead of IP addresses.  This has been some time since I have been able to work on this.  

Authentication rules has the call out to the MFA radius server and then the Authorization rule assigned the SGT.  SGT are populated in Forti firewalls through fortimanager and rules can be made.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: