cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3118
Views
0
Helpful
7
Replies

AnyConnect and Win10 cashing credentials and SSO with Microsoft MFA

MS-JK
Level 1
Level 1

Hi team,

Trying to find some validation/documentation around this solution:

ISE: 2.6

VPN: 4.5&4.7 AnyConnect with ISE Posture/Compliance module

MFA: Microsoft's MFA Authentication

System: Windows10

 

Desired solution outcome A)

User will login into windows10 PC using AD credentials and Microsoft's MFA. When successful login - initiate VPN AnyConnect client to automatically use the AD credentials  entered to login into the PC and automatically login / initiate VPN and its Posture modules (currently done via compliance module using ISE). Basically SSO solution.

 

Desired solution outcome B)

Computer boots up and AnyConnect 4.7 initiates VPN Management Tunnel (feature of 4.7) connection to HQ and connects to AD. At the same time while system is connected via Management Tunnel, it may contacted by SCCM and other tools on the HQs management network and system/application patches can be pushed to PC as needed. At some point user will LOGIN to the PC using AD credentials and Microsoft's MFA. When this happens - then the VPN Management Tunnel is disconnected and AnyConnect user connection (again with cached credentials) (Single-Sign-ON) is initiated and auto connected this time as USER to HQ's VPN.

 

Looking for validation, issues, challenges and support for these outcomes.

 

Appreciate your feedback!

 

 

 

1 Accepted Solution

Accepted Solutions

Yes, I am referring to a User certificate for the logging into the VPN. A machine certificate would still be required for the management tunnel.

No, I am not aware there is planned SSO for AnyConnect VPN. I imagine there is limited demand, as most organisations prefer to prompt users to explicitly authenticate to the VPN, ideally with 2FA when connecting remotely.

HTH

View solution in original post

7 Replies 7

Hi,
If you are using MFA then surely you cannot single sign on? as you will always be prompted for authentication. If you want SSO then you could use user certificates, then there would be no authentication prompt.

You can achieve outcome B, the management tunnel can only use certificates, so the computer can establish a VPN and connect to SCCM to download updates.

HTH

Hey RJI

 

To clarify for A) AD+MFA would ONLY be used for WIN10 Login. Then for the user VPN - user would then ONLY use AD login credentials and hopefully this would happen automatically and in background using the AD credentials user used to login.

Ok, so MFA is only for logging on to the laptop itself.

Regardless you cannot single sign on using AD credentials to an AnyConnect VPN, you'd have to use user certificates, therefore the VPN would establish without use interaction.

HTH

OK so no SSO with AD credentials is supported by AnyConnect VPN (even later/current versions).

 

Q: Assuming - you're talking about USER certificate not machine cert for user initiated auto connect VPN (and then using machine type cert for the VPN - Management Tunnel feature). 

 

Any possible FUTURE known versions or adding any other modules hat would support caching of AD credentials and re-using it as SSO for VPN? 

 

Thanks.

 

 

 

 

Yes, I am referring to a User certificate for the logging into the VPN. A machine certificate would still be required for the management tunnel.

No, I am not aware there is planned SSO for AnyConnect VPN. I imagine there is limited demand, as most organisations prefer to prompt users to explicitly authenticate to the VPN, ideally with 2FA when connecting remotely.

HTH

Awesome - and very last thing as I do not see it referenced in Always-ON solution. Does the Always-ON / autoconnect solution effects ISE Posture and its compliance/posture module at all? Or business as usual, AnyConnect starts using user SSL cert and then posture happens next.

 

I would assume that IF user fails posture with always-ON in place, it would LOOP for ever trying to VPN?

No difference, user will authenticate, posture will run if compliant full access granted.

 

If posture fails, the user is non-compliant. If a device is found to be non-compliant, the user would just stay in the non-compliant state until it becomes compliant by running remediation. The VPN wouldn't drop the ISE Posture agent in the background would re-run.

 

Check out this ISE Posture guide for more information.

 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: