Re: Cisco AnyConnect Azure AD Authentication Firewall Rules

carl.allen1 · ‎09-15-2021

Hi All,

Hoping someone can point me in the right direction.

So we use Cisco AnyConnect with Azure AD integration for authentication. On a particular VLAN, whereby everything is blocked unless allowed, the authentication window does appear, however remains blank or sometimes loads with 'cannot load this page' (See screenshot below for reference)

Do you know what firewall rules need to be allowed for the Azure Authentication login process to be carried out successfully so a connection can be established?

Had a Google search and of the set up guide by Cisco themselves, but can not find what I'm looking for.

Appreciate any assistance!

Many thanks,

Carl

Milos_Jovanovic · ‎09-15-2021

Hi @carl.allen1,

This will probably be very tricky.

You'll need to allow what you have configured for SAML on your headend, as ASA will redirect traffic to Microsoft for this:

https://sts.windows.net/

https://login.microsoftonline.com/

What happens after this can't be pinpointed easily. If you have your ADFS published (and you do probably), you'll have to whitelist that as well. As all these portals reside behind HTTPS, you'll have to whitelist certification authorities for those too (for revocation check), for each portal along the equation.

I would do a packet capture on a client, look at DNS requests, and while whitelisting one portal at a time, analyze DNS records to understand what else am I missing, as I would assume you will miss something.

BR,

Milos

carl.allen1 · ‎09-15-2021

Hi Milios,

Appreciate your response there, will give the latter a go and see if I can identify exactly what's trying to be contacted.

Many thanks,

Carl

BIbrahimov · ‎09-17-2021

Unfortunately right now this is now available. You can't directly connect Azure AD to Cisco ASA.