Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
0
Replies

seperate Azure MFA policies for SSL VPN and AnyConnect

philip moore
Level 1
Level 1

‎10-12-2019 06:12 AM - edited ‎02-21-2020 09:46 PM

Dear Community

We are currently using Azure Cloud MFA (without NPS) to authenticate clients for SSL VPN. Its working great, and much better than paying for & maintaining RSA SecurID (token, oda, RSA-AA). Would highly recommend it for any current O365 customer as is essentially free, included with your MS subscription,

We would like to enable the same service to replace Anyconnect authentication. This service is currently using radius with RSA Tokens, with various group policies configured on ASA for different sets of customers. The Anyconnect group policy and SSL VPN is on the same ASA cluster.

Question: is it possible to have separate policies for SSL VPN and Anyconnect clients? The idea would be to have different groups of users defined on Azure AD as follows:

- AD Group A for SSL VPN

- AD Group B for Anyconnect client tunnel group X

- AD Group C for Anyconnect client tunnel group Y

It it possible to achieve this separation?

I got confused as you can only define a single SAML IDP under webvpn.

Has anyone tried something similar? and could share tips on how to configure?

 

Thanks,

Phil

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents