cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
5
Helpful
1
Replies

Cisco AnyConnect Authentication with SAML MFA and Authorization

neteng2323
Level 1
Level 1

We are in the planning phase of rolling out Azure MFA for Cisco AnyConnect.  Today we use Aruba Clearpass as the AAA server, and it points to on-prem authentication sources.  The benefit of using ClearPass (similar to ISE) is having a method for access control. We have several group policies that exist on the Firewall and upon successful authentication, ClearPass passes back a radius attribute controlling what Group Policy and ACL that particular user needs.  

 

Now comes SAML authentication. This removes AAA and ClearPass for at least the Authentication portion. We could still use it as an authorization server.  However,  It's been proposed that we remove the dependency to ClearPass and rethink how we're doing access control (ie authorization).  My question is what are other organizations doing for authorization as they move to Cloud AD and MFA?  I know people are still using ClearPass, ISE and Radius, as well as LDAP attributes for controlling access, but is there some other method with SAML, and Azure that can accomplish something similar?

1 Reply 1

patoberli
VIP Alumni
VIP Alumni

I couldn't find anything in my limited time, so in the end I did the group assignment with LDAP directly on the (local) hybrid AD.