12-14-2022 12:28 AM
Hi,
We have Cisco ASA Anyconnect with ISE as a radius server and posturing for many years which works fine. But now we have setup Microsoft Azure MFA AD with SAML authentication and that also works but we cannot use Cisco ISE AuthZ with posture anymore.
Can someone please help how we can use ISE AuthZ for posturing in this scenario
12-14-2022 02:31 AM
Hi @atifsr,
Yes, this is still possible. You need to configure ISE as authorize-only AAA server, and to use ISE as an authorization server (and accounting), next to using SAML for authentication.
In order to understand and implement authorize-only AAA server, please take a look at this post, and this one.
Kind regards,
Milos
12-15-2022 08:20 AM
Many thanks for your reply. I have created a policy and authorization profile in ISE but in the authentication section what should I choose here? In the old setup we are using the Active Directory but after configuration SAML on ASA authentication is handled by the Microsoft MFA.
This is the config I add in ASA, is that correct? It is still not working some reason
tunnel-group VPNMFA type remote-access
tunnel-group VPNMFA general-attributes
authorization-server-group ISE
accounting-server-group ISE
12-15-2022 12:58 PM
With SAML+ISE authorization, it doesn't really matters what you put in the authentication part. If you configure your policy set properly, you can even put "Deny" authentication profile, because this is Authorize-only policy - authentication is done against SSO server, so ISE doesn't care about authentication part. But, because of this, you configure ISE as authorize-only server, making ISE too aware that it should only do authorization (and accounting, for licensing purpose).
Kind regards,
Milos
01-17-2023 05:20 AM
Hi Milos,
I have a client that needs this use case as well but needs to reference AD groups in the authz policies. My question is, how will the ISE see the usernames being sent by the ASA once they authenticate using SAML?. Will it see the samacountname or user.mail attribute?
The client has an AAD connector in place.
Thanks
02-06-2023 10:45 PM
Hi @gihernandezn91,
ISE will use UPN format of the username (basically email), as this is how SSO sees it.
Kind regards,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide