Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10606
Views
0
Helpful
19
Replies

Anyconnect to ASA to ISE to Azure MFA - Radius retry issue

Ralphy006
Level 1
Level 1

‎04-03-2019 01:08 PM - edited ‎02-21-2020 09:36 PM

 

Hi all,
I currently use Anyconnect SSL VPN (4.5) connecting to an ASA running 9.X code.

I am transitioning to Azure MFA, and use ISE as well for authentication.

So the thought is, when logging into the VPN, the ASA would send a radius request to ISE (username and password).

ISE would then send a radius request the Azure MFA server which does the authentication of the username/password and 2-factor. I have this working assuming the user responds to the 2-factor.

I stumbled upon this scenario. If the user does NOT respond to the 2-factor and just let's it hang, the auth times out. And I can cancel out of the login prompt.

However, the ASA continues to send access-requests. Even after ISE sends a access-reject. This results in continuous 2-factor requests.

Any ideas?

ASA to ISE is set to 65 second timeout.

ISE to Azure MFA is set to 60 second timeout.


aaa-server TEST protocol radius
interim-accounting-update periodic 3
max-failed-attempts 1
merge-dacl before-avpair
dynamic-authorization
aaa-server TEST (inside) host 10.X.X.1
timeout 65
key *****
aaa-server TEST (inside) host 10.x.x.2
timeout 65
key *****

Any ideas would help!

Labels:
0 Helpful
19 Replies 19

meesaw
Level 1
Level 1
In response to AMoore1776

‎10-22-2020 08:46 AM

Can you please let us know how you directly connecting to Azure Cloud for MFA using Cisco ISE and going through NPS server?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to meesaw

‎10-22-2020 10:40 AM

ISE doesn't support azure ad yet.

**** please remember to rate useful posts
0 Helpful

mockus
Level 1
Level 1
In response to mockus

‎07-08-2020 02:01 PM

I found that in our AnyConnect Client Profile - Even though on the Preferences 2  tab - it was set to 60 seconds for authentication timeout it was acting as if it were the default (12 sec I think) - I changed it to 90 seconds and now we have plenty of time to respond to the call.

0 Helpful

vsurresh
Level 1
Level 1

‎10-29-2020 11:58 AM

Is there a reason not to do the authentication from ASA directly to Azure AD and then do the authorization in ISE. This is the set up I have at the moment and haven't had any issues.

 

I explained the steps in my blog post here: https://packetswitch.co.uk/cisco-anyconnect-with-azure-ad/

 

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to vsurresh

‎10-29-2020 02:22 PM

I think it's because nowadays customers most probably have a mix of ASAs or FPRs or FPRs only and firepower doesn't support saml yet

0 Helpful
Customers Also Viewed These Support Documents