Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1246
Views
5
Helpful
3
Replies

Cisco AnyConnect Azure AD Authentication Firewall Rules

carl.allen1
Level 1
Level 1

‎09-15-2021 06:56 AM

Hi All,

 

Hoping someone can point me in the right direction.

 

So we use Cisco AnyConnect with Azure AD integration for authentication. On a particular VLAN, whereby everything is blocked unless allowed, the authentication window does appear, however remains blank or sometimes loads with 'cannot load this page' (See screenshot below for reference)

Cisco_Training_Machines_Fail.PNG

 

Do you know what firewall rules need to be allowed for the Azure Authentication login process to be carried out successfully so a connection can be established?

 

Had a Google search and of the set up guide by Cisco themselves, but can not find what I'm looking for.

 

Appreciate any assistance!

 

Many thanks,

Carl

 

0 Helpful
3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-15-2021 07:04 AM

Hi @carl.allen1,

This will probably be very tricky.

You'll need to allow what you have configured for SAML on your headend, as ASA will redirect traffic to Microsoft for this:

https://sts.windows.net/

https://login.microsoftonline.com/

What happens after this can't be pinpointed easily. If you have your ADFS published (and you do probably), you'll have to whitelist that as well. As all these portals reside behind HTTPS, you'll have to whitelist certification authorities for those too (for revocation check), for each portal along the equation.

I would do a packet capture on a client, look at DNS requests, and while whitelisting one portal at a time, analyze DNS records to understand what else am I missing, as I would assume you will miss something.

BR,

Milos

carl.allen1
Level 1
Level 1
In response to Milos_Jovanovic

‎09-15-2021 07:39 AM

Hi Milios,

 

Appreciate your response there, will give the latter a go and see if I can identify exactly what's trying to be contacted.

 

Many thanks,

Carl

 

 

0 Helpful

BIbrahimov
Level 1
Level 1

‎09-17-2021 05:59 AM

Unfortunately right now this is now available. You can't directly connect Azure AD to Cisco ASA. 

0 Helpful
Customers Also Viewed These Support Documents