Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
3
Replies

Azure MFA Anyconnect

danielesquaranti
Level 1
Level 1

‎10-06-2021 07:50 AM

Hi,

This is my situation: on the asa, for anyconnect remote-access authentication, I set up a tunnel-group to authenticate all users.
Then, in Active directory, I have several groups which correspond to different group-policies on the ASA configuration. Where, for example, a group-policy is defined only for admins and one for standard users.

 

I'am recently trying to integrate azure mfa with cisco anyconnect. I was trying to understand if it is possible to configure the tunnel-group on the cisco asa with both "authentication aaa certicate" (I already have this command on asa) and "authentication saml" for the azure MFA, in order to have an authentication based on both the machine certificate and the authentication two-factor via azure's MFA.

 

All this because I want to integrate azure MFA only for the group-policy of the administrators, without having to create two different tunnel-groups.

 

Anyone who has already tried such a thing? I hope I have been clear enough.

 

Thanks

Labels:
0 Helpful
3 Replies 3

danielesquaranti
Level 1
Level 1

‎10-06-2021 08:30 AM

In summary,

I want to integrate Cisco Anyconnect with Azure MFA and have only one tunnel-group, but different MFA options for different group-policy based on Active directory group member.

For the purpose I can also use Cisco ISE.

 

Thanks

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-11-2021 03:17 AM

Hi @danielesquaranti,

No, it is not possible to use SAML and certificate based authentication at the same time, yet. You must create at least one more tunnel-group on which you'll enable SAML. Alternatively, you can change authentication method on your production tunnel-group for admin users (just make sure everything works for you before you change anything).

If you want to have different options for MFA, you'll have to do that with different Conditional Access policies on AAD side, and you can only attach one policy per Azure app, so you'll have to create multiple apps, which will correspond to different tunnel-groups.

You can use one tunnel-group and assign different group-policies per different user groups (via RADIUS and ISE).

BR,

Milos

0 Helpful

msegersvard
Level 1
Level 1

‎10-22-2021 12:46 AM

As a simple rule: You need unique tunnel-group for each authentication method you want to implement.

 

If you want to check machine certificate and AzureMFA you can't use SAML. I would use radius to Windows NPS server that would handle the AzureMFA part.

0 Helpful
Customers Also Viewed These Support Documents