cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1639
Views
0
Helpful
1
Replies

Cisco AnyConnect two factor Authentication using MFA Azure

CiscoNutt
Level 1
Level 1

We are looking at implementing two factor authentication into our RA VPN setup.  As of today we have the ASA authenticating sending authentication requests to an ACS which in turn maps users to different group-policies based on AD attribute values.

So, I am wondering how I would go about setting up the two factor authentication with MFA Azure?

I would think that I would setup the ASA to authenticate to Azure and then Azure would forward the authentication request to ACS.  But I would like confirmation on this and if my understanding is not correct please let me know what I would need to do to get this working.

Thanks in advance.

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

You can send the authentication request to Azure MFA, then send the authorization request to a secondary server (ACS) so that you can get the Radius Class attribute to assign group-policy for the user. This is assuming that Azure MFA does not already send Radius class attributes when it returns the user attributes.

An example with LDAP as the authorization server is given here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc21

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: