Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
3
Replies

Anyconnect static ip address with Azure MFA

luckymike33
Level 1
Level 1

‎06-06-2019 10:11 AM

Hi, 

 

Does anyone have any idea how to configure Anyconnect to obtain a static ip address when using an MFA app like Azure MFA. At the moment I have an ASA pointed towards a Microsoft NPS server with the Azure MFA extension. I have configured each user with a static ip address under the dial in tab. Without the MFA authentication, i.e. just authenticating against AD, the attributes can be passed down from the NPS server towards the ASA, but as soon as you enable the Azure MFA in the NPS - the attributes stop being passed down. 

 

I have also tried pointing the ASA at an ACS, which is configured to act as a Radius proxy, which then queries the NPS/MFA setup, with an identical user account also created in the ACS and a static ip address configured under each user account. But this fails too - due to 'Radius client encountering an error during processing flow'. 

 

I am now beginning to wonder if it is at all possible to configure a static ip address alongside a MFA solution, whether that is Azure/Duo etc. Can anyone help in anyway on this?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎06-07-2019 02:26 AM

I had similar problem but with ISE instead of NPS and fixed it with the
following:

- On ASA configured aaa authentication for anyconnect to point to MFA proxy
server (MFA frond-end)
- On ASA configured ISE as authorization server only.

This way the users authenticate with AD/MFA (with MS MFA App) and after
successful authentication, ISE with perform authorisation and provides the
IP address, DACL, AnyConnect mode (IKEv2 or SSL), etc.
0 Helpful

Pablo
Cisco Employee
Cisco Employee

‎06-07-2019 05:43 PM

If you're using OATH or SMS for the 2FA challenge then you're hitting a limitation with the MFA NPS extension"

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/1908fdad-51ba-46e3-ad51-a59c4f686c3e/anyconnect-client-using-nps-extension-with-sms-not-sending-avpair?forum=WindowsAzureAD

I've seen this AV pairs returned just fine with the App verification/Phone call.

HTH.

0 Helpful

ShenzoWu03955
Level 1
Level 1

‎02-24-2020 03:15 PM

Hi

 

Were you able to get to the bottom of this?

0 Helpful
Customers Also Viewed These Support Documents