Re: AnyConnect RA VPN Using SAML Authentication and ISE Authorization

paynewj · ‎03-22-2022

I'm in the process of configuring a new VPN appliance and have the following set up so far:

FMC managing FTD 2110 (both running 7.0.1)
One connection profile using SAML authentication + MFA via Microsoft Authenticator app
- This is currently working and is being used to establish a VPN connection using personal devices.
A second connection profile using SAML authentication + MFA via Microsoft Authenticator app and ISE authorization
- Would like to use this one when connecting to the VPN using a corporate-owned device

We would like ISE to handle posture checking and use it to identify corporate devices via machine certificate. The first connection profile/tunnel group that only uses SAML authentication is working well. When you launch AnyConnect, the prompt that allows you to choose the connection profile appears behind the embedded browser that pops up with our ADFS login prompt. When the second connection profile is selected, the embedded browser relaunches, allows me to input my credentials and I receive a prompt in the Microsoft Authenticator app to approve the sign-in attempt. After approving, I receive the following error message in the embedded AnyConnect browser: Potential CSRF attack detected

The SAML debug on the FTD show the following: [SAML] consume_assertion: assertion audience is invalid

Is the setup that I described above possible? Is there a way for one profile to use only SAML authentication and the other to use SAML authentication and ISE for authorization only? I haven't had any luck finding documentation on how to approach accomplishing this.

Milos_Jovanovic · ‎03-23-2022

Hi @paynewj,

Yes, this scenario should be possible.

For the first group, in which you are using only SAML and Azure integration, should work out of the box, as soon as you input credentials. Whether you are requesting some additional conditions to be completed, you control under COnditional Access Policy on Azure side.

Second scenario is also a standard one, and I've used it multiple times. Authentication, both username and password (in case SSO is still not done on this device, thus prompting for credentials) along with MFA, are again controlled on Azure Conditional Access Policy. You could add another condition in this policy and to prompt for Managed Devices, which should diferentiate your corporate devices from non-corporate (pre-requisite is that corporate deviecs are enrolled in Azure). Upon successfull authntication, authorization against ISE must be done, before permitting access to VPN. During the authorization phase, you can do posture assessment with numerous conditions in policy.

However, you are facing an error on the authentication phase, thus not getting to the authorization phase at all. By doing a quick search, I found this thread, where people are describing same issue, and someone is mentioning workaround, so please try that.

BR,

Milos

paynewj · ‎04-04-2022

Thank you for the reply, @Milos_Jovanovic .

For the first group, in which you are using only SAML and Azure integration, should work out of the box, as soon as you input credentials. Whether you are requesting some additional conditions to be completed, you control under COnditional Access Policy on Azure side.

This did work perfectly right away, but, to my knowledge, nothing was done in Azure. It was all configured on our on-prem 2019 ADFS server.

Second scenario is also a standard one, and I've used it multiple times. Authentication, both username and password (in case SSO is still not done on this device, thus prompting for credentials) along with MFA, are again controlled on Azure Conditional Access Policy. You could add another condition in this policy and to prompt for Managed Devices, which should diferentiate your corporate devices from non-corporate (pre-requisite is that corporate deviecs are enrolled in Azure). Upon successfull authntication, authorization against ISE must be done, before permitting access to VPN. During the authorization phase, you can do posture assessment with numerous conditions in policy.
However, you are facing an error on the authentication phase, thus not getting to the authorization phase at all. By doing a quick search, I found this thread, where people are describing same issue, and someone is mentioning workaround, so please try that.

Correct. I can't seem to get past the authentication phase. Again, all that was done was create a relying party trust on our ADFS server and then populate it with the SAML XML data that I exported from our 2110 appliance.

paynewj · ‎04-04-2022

Our current configuration just leverages the Azure MFA adapter that's integrated into ADFS 2019.