03-22-2022 04:41 PM
I'm in the process of configuring a new VPN appliance and have the following set up so far:
We would like ISE to handle posture checking and use it to identify corporate devices via machine certificate. The first connection profile/tunnel group that only uses SAML authentication is working well. When you launch AnyConnect, the prompt that allows you to choose the connection profile appears behind the embedded browser that pops up with our ADFS login prompt. When the second connection profile is selected, the embedded browser relaunches, allows me to input my credentials and I receive a prompt in the Microsoft Authenticator app to approve the sign-in attempt. After approving, I receive the following error message in the embedded AnyConnect browser: Potential CSRF attack detected
The SAML debug on the FTD show the following: [SAML] consume_assertion: assertion audience is invalid
Is the setup that I described above possible? Is there a way for one profile to use only SAML authentication and the other to use SAML authentication and ISE for authorization only? I haven't had any luck finding documentation on how to approach accomplishing this.
03-23-2022 02:56 PM
Hi @paynewj,
Yes, this scenario should be possible.
For the first group, in which you are using only SAML and Azure integration, should work out of the box, as soon as you input credentials. Whether you are requesting some additional conditions to be completed, you control under COnditional Access Policy on Azure side.
Second scenario is also a standard one, and I've used it multiple times. Authentication, both username and password (in case SSO is still not done on this device, thus prompting for credentials) along with MFA, are again controlled on Azure Conditional Access Policy. You could add another condition in this policy and to prompt for Managed Devices, which should diferentiate your corporate devices from non-corporate (pre-requisite is that corporate deviecs are enrolled in Azure). Upon successfull authntication, authorization against ISE must be done, before permitting access to VPN. During the authorization phase, you can do posture assessment with numerous conditions in policy.
However, you are facing an error on the authentication phase, thus not getting to the authorization phase at all. By doing a quick search, I found this thread, where people are describing same issue, and someone is mentioning workaround, so please try that.
BR,
Milos
04-04-2022 11:44 AM
Thank you for the reply, @Milos_Jovanovic .
For the first group, in which you are using only SAML and Azure integration, should work out of the box, as soon as you input credentials. Whether you are requesting some additional conditions to be completed, you control under COnditional Access Policy on Azure side.
This did work perfectly right away, but, to my knowledge, nothing was done in Azure. It was all configured on our on-prem 2019 ADFS server.
Second scenario is also a standard one, and I've used it multiple times. Authentication, both username and password (in case SSO is still not done on this device, thus prompting for credentials) along with MFA, are again controlled on Azure Conditional Access Policy. You could add another condition in this policy and to prompt for Managed Devices, which should diferentiate your corporate devices from non-corporate (pre-requisite is that corporate deviecs are enrolled in Azure). Upon successfull authntication, authorization against ISE must be done, before permitting access to VPN. During the authorization phase, you can do posture assessment with numerous conditions in policy.
However, you are facing an error on the authentication phase, thus not getting to the authorization phase at all. By doing a quick search, I found this thread, where people are describing same issue, and someone is mentioning workaround, so please try that.
Correct. I can't seem to get past the authentication phase. Again, all that was done was create a relying party trust on our ADFS server and then populate it with the SAML XML data that I exported from our 2110 appliance.
04-04-2022 12:24 PM
Our current configuration just leverages the Azure MFA adapter that's integrated into ADFS 2019.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide