Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
5
Helpful
1
Replies

Cisco AnyConnect Authentication with SAML MFA and Authorization

neteng2323
Level 1
Level 1

‎09-29-2021 05:10 AM - edited ‎09-29-2021 05:42 AM

We are in the planning phase of rolling out Azure MFA for Cisco AnyConnect.  Today we use Aruba Clearpass as the AAA server, and it points to on-prem authentication sources.  The benefit of using ClearPass (similar to ISE) is having a method for access control. We have several group policies that exist on the Firewall and upon successful authentication, ClearPass passes back a radius attribute controlling what Group Policy and ACL that particular user needs.  

 

Now comes SAML authentication. This removes AAA and ClearPass for at least the Authentication portion. We could still use it as an authorization server.  However,  It's been proposed that we remove the dependency to ClearPass and rethink how we're doing access control (ie authorization).  My question is what are other organizations doing for authorization as they move to Cloud AD and MFA?  I know people are still using ClearPass, ISE and Radius, as well as LDAP attributes for controlling access, but is there some other method with SAML, and Azure that can accomplish something similar?

1 person had this problem
Labels:
1 Reply 1

patoberli
VIP Alumni
VIP Alumni

‎10-01-2021 04:20 AM

I couldn't find anything in my limited time, so in the end I did the group assignment with LDAP directly on the (local) hybrid AD. 

0 Helpful
Customers Also Viewed These Support Documents