Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2816
Views
3
Helpful
5
Replies

ASA Anyconnect SAML Azure AD MFA and ISE posture

atifsr
Level 1
Level 1

‎12-14-2022 12:28 AM

Hi,

We have Cisco ASA Anyconnect with ISE as a radius server and posturing for many years which works fine. But now we have setup Microsoft Azure MFA AD with SAML authentication and that also works but we cannot use Cisco ISE AuthZ with posture anymore. 

Can someone please help how we can use ISE AuthZ for posturing in this scenario 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-14-2022 02:31 AM

Hi @atifsr,

Yes, this is still possible. You need to configure ISE as authorize-only AAA server, and to use ISE as an authorization server (and accounting), next to using SAML for authentication.

In order to understand and implement authorize-only AAA server, please take a look at this post, and this one.

Kind regards,

Milos

atifsr
Level 1
Level 1
In response to Milos_Jovanovic

‎12-15-2022 08:20 AM

Hi @Milos_Jovanovic 

Many thanks for your reply. I have created a policy and authorization profile in ISE but in the authentication section what should I choose here? In the old setup we are using the Active Directory but after configuration SAML on ASA authentication is handled by the Microsoft MFA.

This is the config I add in ASA, is that correct? It is still not working some reason

tunnel-group VPNMFA type remote-access
tunnel-group VPNMFA general-attributes
authorization-server-group ISE
accounting-server-group ISE

ISE-1.pngISE-2.pngISE-3.png

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-15-2022 12:58 PM

With SAML+ISE authorization, it doesn't really matters what you put in the authentication part. If you configure your policy set properly, you can even put "Deny" authentication profile, because this is Authorize-only policy - authentication is done against SSO server, so ISE doesn't care about authentication part. But, because of this, you configure ISE as authorize-only server, making ISE too aware that it should only do authorization (and accounting, for licensing purpose).

Kind regards,

Milos

gihernandezn91
Level 1
Level 1
In response to Milos_Jovanovic

‎01-17-2023 05:20 AM

Hi Milos,

I have a client that needs this use case as well but needs to reference AD groups in the authz policies. My question is, how will the ISE see the usernames being sent by the ASA once they authenticate using SAML?. Will it see the samacountname or user.mail attribute?

The client has an AAD connector in place.

Thanks

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to gihernandezn91

‎02-06-2023 10:45 PM

Hi @gihernandezn91,

ISE will use UPN format of the username (basically email), as this is how SSO sees it.

Kind regards,
Milos

Customers Also Viewed These Support Documents