03-21-2024 12:50 AM
Hi guys,
so I have another problem. We implemented 2FA for Anyconnect VPN with Azure AD. All is working fine but there is one big problem. Users are not receiving custome settings by AD group. Like we had previously with RADIUS, we have many AD groups for Anyconnect which control settings like IP addresses, DNS, split/full tunneling etc. All of this is set up in FMC -> Objects -> VPN -> Group Policy. Remote Access profile have assigned some default policy DfitGrpPolicy which have dump IP address, no DNS and full tunneling. Cause those settings are controlled by AD groups. But after implemented 2FA, there is only authentication by Azure AD but authorization for access or user vpn settings are not. Those are staticly set up in Remote Access Profile policy. So is there any way to make this works back but with 2FA? I read about Azure AD Realm but I am not sure if this is right solution.
Thanks in advice
03-21-2024 07:42 AM
Typically in such a situation we use a separate policy server for authorization. Authenticate with Azure AD / Entra ID and MFA and then authorize with a RADIUS server (like Cisco ISE) or use something like LDAP attribute mapping to assign users to a desired group-policy after authentication.
03-21-2024 07:51 AM
Thank you Marvin for answer.
So we have set up RADIUS on Windows Server machine with Network Policy Server. On FMC we have added RADIUS server pointing to this Windows Server. Previously, before implementing 2FA, we had authentication also for RADIUS same as for authorization and Accounting.
So I made a test. I kept authentication server to SAML and I selected authorization server to our RADIUS and of course group policy for this default one which I mention before. But same issue. Instead of getting VPN settings like IP pool, DNS server split/full tunneling form group policy based on his group in AD, it used this default DfitGrpPolicy
03-22-2024 12:36 AM
Have you checked the RADIUS server logs or a packet capture to confirm the incoming authorization requests and associated replies? A view of the actual request/reply traffic will usually highlight what might be wrong with the setup.
03-22-2024 03:43 AM
Like I checked RADIUS log there are only entries about connecting to domain controller. There are no errors or informations regarding authorization of VPN users. Can you please tell me how I can do this packet capture for RA-VPN to check replies and path from login - authentication with 2fa - autherization with radius - back to user
03-24-2024 08:39 AM
I think I found a reason. In remote access and Advanced tab we have selected "Use authorization server (Only for RADIUS or Realm) but we have selected SAML for Azure MFA. And I think thats why it won't work. So Is there any option to use authorization server here to authorize users based on their AD group to access resources and VPN settings?
03-24-2024 07:48 PM
Yes, as I had noted in my 21 March reply, you would use SAML only for Authentication and RADIUS only for Authorization.
03-24-2024 10:45 PM
Yes, I understand that. And I have selected Authentication method only for SAML and to our Azure AD SAML app and also I selected authorization to our RADIUS server but it didn;t worked like I wrote. But I notice a option that is saying Authorization server (only for RADIUS or Realm). Attached screenshots. So like I understand authorization server I can only use with RADIUS or Realm auth method? Or am I wrong? If yes how I can "tell" VPN to additionaly authorize user with RADIUS? Even if I have selected it in RA_VPN Profile settings?
03-24-2024 10:54 PM
Also I checked RADIUS logs and I don't see any information about users authorization. Only that radius succesfully connected to domain controler and thats it
03-26-2024 07:38 AM
The authorization server setting you showed should send a RADIUS Authorization request for any SAML-authenticated user who is using that connection profile. (Note the second setting you showed is only for IP Address Assignment.)
You can capture the traffic on your VPN headend to the RADIUS server using the packet capture troubleshooting tool on the firewall (or with Wireshark on the RADIUS server).
03-26-2024 08:50 AM
I will check packets. Also I notice when I wanted to enable previous VPN profile with radius, like we had previously. And there is same issue even it is same settings. No authorization via radius. Including IP assigning, DNS and full/split tunneling. So there is definetly something wrong with radius connection. Or it is some kind of bug, we have few of them recently or really some issue with radius connection even if I can ping without any issues from FTD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide