Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
1
Helpful
2
Replies

ASA VPN with Azure SAML MFA LDAP Group Membership

zachartl
Level 1
Level 1

‎02-13-2025 04:01 PM

Hello,

We just configured Azure SAML MFA for Anyconnect VPN Access and it works fine. We utilize access-lists based on Microsoft LDAP Group Membership. We're using LDAP authentication too. I'm not seeing our Azure MFA Access recognizing or utilizing the LDAP group we are placing Azure MFA members into. As a result, users authenticating fall into the DefaultGrpPolicy of the ASA. Has anyone been successful with getting this working?

ASA version 9.14

Thank you,

Terry

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-20-2025 12:15 AM

Normally you would either use an authorization server configured to use the LDAP server(s) or use Dynamic Access Policies (DAP) as described in more detail here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

Secondary authentication won't generally affect authorization result.

zachartl
Level 1
Level 1
In response to Marvin Rhoads

‎02-20-2025 05:39 AM

Good morning,

That is where we've ended up. We're utilizing an authorization server group within the Azure MFA VPN connection profile. We are also utilizing a DAP that looks for ldap group membership + Azure MFA VPN connection profile. We haven't yet configured the connection profile to utilize the DefaultGrpPolicy (Default Group Policy setting) as we have with the other connection profiles, yet. We think it will work when we set it, for now, we've set the connection profile as the Default Group Policy setting for that connection profile. 

The customer wants the VPN Users stripped of their username | password connection profile access once they've transitioned to the MFA connection profiles. This would have to be done by removing them from the ldap group associated with the username | password connection profile and moved to the ldap group associated with the MFA connection profile and so we need something configured within connection profile that can make those ldap group membership distinctions.

Is there a way to configure something akin to this in SAML? Azure SAML authentication? It appears this is supported within the DAP configuration.  

Thank you,

Terry

0 Helpful
Customers Also Viewed These Support Documents