Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
8
Replies

Anyconnect can integrate cisco ISE + O365

jewfcb001
Level 4
Level 4

‎10-08-2022 07:24 PM

HI All ,

I try to find the solution Cisco Anyconnect integrate Cisco ISE and O365 but cannot found and I found the solution in cisco site the solution is cisco DUO integrate with O365 instead ISE . I would like to confirm

If Solution with Cisco ASA with anyconnect VPN can integrate with picture below or not ? 

duo and ise.png

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-09-2022 09:16 AM

check this below thread :

https://community.cisco.com/t5/security-knowledge-base/anyconnect-azure-ad-saml-sso/ta-p/3810013

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-10-2022 05:48 AM

That is a valid design. What you would need to do is configure ISE with Duo to relay the authentication requests to Duo, which will in turn be integrated with your Azure AD.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-10-2022 07:23 AM

@Aref Alsouqi  

I would like to change some requirement . I have a small question . 

Can Anyconnect and integrate with microsoft authenticator + Azure AD or not?

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-10-2022 08:07 AM

Yes, AnyConnect can be integrated with Office 365 SMAL. Regarding the authenticator app, that is not an AnyConnect part, that is how you configure the users for multi factor authentication on Azure, if you allow them to be enrolled with the authenticator app, then they can go through the enrolment and use it to approve the AnyConnect authentication requests.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-10-2022 06:33 PM

@Aref Alsouqi 

Thank you for information .  I think that scenario need configure on ASA Firewall and Azure AD . 
If I need configure sperate group-policy on Firewall from Group Azure AD / ISE . 

My Scenario is  Anyconnect + Azure AD for Authentication and MFA and Cisco ISE do authorize or do something for support this scenario .

Can I do this scenario ?

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-11-2022 01:50 AM

Yes you can do that, however, given you have ISE on your deployment I would recommend to use ISE for both authentication and authorization. In that case you will integrate ISE with Azure MFA, and if the authentication passes the session will be authorized. The traffic flow would look like this:

- AnyConnect tries to connect to the ASA

- The ASA relays the authentication request to ISE

- ISE relays the authentication request to MFA

- MFA sends the push to the user mobile device

- The user approves the push

- ISE gets the "ok" from MFA

- ISE sends a message to the ASA stating the session is good to go

- The ASA creates the session for AnyConnect

 

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-11-2022 02:13 AM

@Aref Alsouqi 

Thank you for information . But the customer need to direct integrate from ASA to Microsoft Authenticator . 

I think , We need SAML integrate from ASA to Azure AD . and use ISE do authorize because we need cisco ise in solution. Am i correct ? 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to jewfcb001

‎10-11-2022 02:29 AM

Yes, you are correct. You can integrate the ASA with Azure/SAML and once the authentication passes, the ASA will reach out to ISE for the authorization.

0 Helpful
Customers Also Viewed These Support Documents