Trying to find some validation/documentation around this solution:
VPN: 4.5&4.7 AnyConnect with ISE Posture/Compliance module
MFA: Microsoft's MFA Authentication
Desired solution outcome A)
User will login into windows10 PC using AD credentials and Microsoft's MFA. When successful login - initiate VPN AnyConnect client to automatically use the AD credentials entered to login into the PC and automatically login / initiate VPN and its Posture modules (currently done via compliance module using ISE). Basically SSO solution.
Desired solution outcome B)
Computer boots up and AnyConnect 4.7 initiates VPN Management Tunnel (feature of 4.7) connection to HQ and connects to AD. At the same time while system is connected via Management Tunnel, it may contacted by SCCM and other tools on the HQs management network and system/application patches can be pushed to PC as needed. At some point user will LOGIN to the PC using AD credentials and Microsoft's MFA. When this happens - then the VPN Management Tunnel is disconnected and AnyConnect user connection (again with cached credentials) (Single-Sign-ON) is initiated and auto connected this time as USER to HQ's VPN.
Looking for validation, issues, challenges and support for these outcomes.
Appreciate your feedback!
Solved! Go to Solution.
To clarify for A) AD+MFA would ONLY be used for WIN10 Login. Then for the user VPN - user would then ONLY use AD login credentials and hopefully this would happen automatically and in background using the AD credentials user used to login.
OK so no SSO with AD credentials is supported by AnyConnect VPN (even later/current versions).
Q: Assuming - you're talking about USER certificate not machine cert for user initiated auto connect VPN (and then using machine type cert for the VPN - Management Tunnel feature).
Any possible FUTURE known versions or adding any other modules hat would support caching of AD credentials and re-using it as SSO for VPN?
Awesome - and very last thing as I do not see it referenced in Always-ON solution. Does the Always-ON / autoconnect solution effects ISE Posture and its compliance/posture module at all? Or business as usual, AnyConnect starts using user SSL cert and then posture happens next.
I would assume that IF user fails posture with always-ON in place, it would LOOP for ever trying to VPN?
No difference, user will authenticate, posture will run if compliant full access granted.
If posture fails, the user is non-compliant. If a device is found to be non-compliant, the user would just stay in the non-compliant state until it becomes compliant by running remediation. The VPN wouldn't drop the ISE Posture agent in the background would re-run.
Check out this ISE Posture guide for more information.