Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6166
Views
15
Helpful
5
Replies

Cisco Anyconnect VPN Azure AD Multi-factor auth

Go to solution
Tinei
Level 1
Level 1

‎08-22-2021 06:15 PM - edited ‎08-22-2021 06:16 PM

We recently configured Azure AD MFA to work with Cisco anyconnect and users are redirected to SAML when they select the connection profile. Everything is working fine users authenticate through Microsoft portal.

The challenge is that any subsequent VPN connections automatically redirect to SAML and don't give user chance to choose any connection profile. Because of single-sign-on the user is not prompted for any credentials, the VPN just connects. 

How do I stop the auto redirection to SAML on the Cisco Anyconnect client? I want the user to have the option to select the connection profile so that they can choose MFA or not? Or have the user get an option to sign out so that there are prompted for Azure credentials again?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tinei
Level 1
Level 1
In response to Milos_Jovanovic

‎08-22-2021 11:21 PM - edited ‎08-22-2021 11:22 PM

Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.

Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .

View solution in original post

5 Replies 5

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-22-2021 11:01 PM

Hi @Tinei,

You need to have multiple tunnel-groups on your ASA/FTD. One/some of them will be with SAML as authentication method, while others would have plain AAA method. If you have SAML configured on all tunnel-groups, then it is up to the conditional access policies on Azure side to determine whould they prompt the user for MFA or not, and how frequent.

From the client side, you should have multiple profiles mapping to different tunnel-groups, so the user can choose to which profile he/she connects. Once profile is selected, authentication regular process starts, depending on your ASA/FTD configuration.

BR,

Milos

0 Helpful

Go to solution
Tinei
Level 1
Level 1
In response to Milos_Jovanovic

‎08-22-2021 11:21 PM - edited ‎08-22-2021 11:22 PM

Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.

Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to Tinei

‎06-13-2022 09:52 AM

Hello Tinei,

 

Does this means that now users are going through credentials and MFA every time?  even if user connect to VPN and reconnecting to VPN after one hour ?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to LovejitSingh130013

‎06-13-2022 10:28 AM

Instead of doing it on FTD, it better to control it on AAD conditional
access using session control. This way you control how frequent you can
reauthenticate.

***** please remember to rate useful posts

Go to solution
Tinei
Level 1
Level 1
In response to LovejitSingh130013

‎06-13-2022 03:36 PM

Yes, all users now go through MFA and its automated as long as their logged info Microsoft on any device.
Customers Also Viewed These Support Documents
Top