We are in the planning phase of rolling out Azure MFA for Cisco AnyConnect. Today we use Aruba Clearpass as the AAA server, and it points to on-prem authentication sources. The benefit of using ClearPass (similar to ISE) is having a method for access control. We have several group policies that exist on the Firewall and upon successful authentication, ClearPass passes back a radius attribute controlling what Group Policy and ACL that particular user needs.
Now comes SAML authentication. This removes AAA and ClearPass for at least the Authentication portion. We could still use it as an authorization server. However, It's been proposed that we remove the dependency to ClearPass and rethink how we're doing access control (ie authorization). My question is what are other organizations doing for authorization as they move to Cloud AD and MFA? I know people are still using ClearPass, ISE and Radius, as well as LDAP attributes for controlling access, but is there some other method with SAML, and Azure that can accomplish something similar?