04-03-2019 01:08 PM - edited 02-21-2020 09:36 PM
Hi all,
I currently use Anyconnect SSL VPN (4.5) connecting to an ASA running 9.X code.
I am transitioning to Azure MFA, and use ISE as well for authentication.
So the thought is, when logging into the VPN, the ASA would send a radius request to ISE (username and password).
ISE would then send a radius request the Azure MFA server which does the authentication of the username/password and 2-factor. I have this working assuming the user responds to the 2-factor.
I stumbled upon this scenario. If the user does NOT respond to the 2-factor and just let's it hang, the auth times out. And I can cancel out of the login prompt.
However, the ASA continues to send access-requests. Even after ISE sends a access-reject. This results in continuous 2-factor requests.
Any ideas?
ASA to ISE is set to 65 second timeout.
ISE to Azure MFA is set to 60 second timeout.
aaa-server TEST protocol radius
interim-accounting-update periodic 3
max-failed-attempts 1
merge-dacl before-avpair
dynamic-authorization
aaa-server TEST (inside) host 10.X.X.1
timeout 65
key *****
aaa-server TEST (inside) host 10.x.x.2
timeout 65
key *****
Any ideas would help!
10-22-2020 08:46 AM
Can you please let us know how you directly connecting to Azure Cloud for MFA using Cisco ISE and going through NPS server?
10-22-2020 10:40 AM
07-08-2020 02:01 PM
I found that in our AnyConnect Client Profile - Even though on the Preferences 2 tab - it was set to 60 seconds for authentication timeout it was acting as if it were the default (12 sec I think) - I changed it to 90 seconds and now we have plenty of time to respond to the call.
10-29-2020 11:58 AM
Is there a reason not to do the authentication from ASA directly to Azure AD and then do the authorization in ISE. This is the set up I have at the moment and haven't had any issues.
I explained the steps in my blog post here: https://packetswitch.co.uk/cisco-anyconnect-with-azure-ad/
10-29-2020 02:22 PM
I think it's because nowadays customers most probably have a mix of ASAs or FPRs or FPRs only and firepower doesn't support saml yet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide