Solved: Cisco Anyconnect VPN Azure AD Multi-factor auth

Tinei · ‎08-22-2021

We recently configured Azure AD MFA to work with Cisco anyconnect and users are redirected to SAML when they select the connection profile. Everything is working fine users authenticate through Microsoft portal.

The challenge is that any subsequent VPN connections automatically redirect to SAML and don't give user chance to choose any connection profile. Because of single-sign-on the user is not prompted for any credentials, the VPN just connects.

How do I stop the auto redirection to SAML on the Cisco Anyconnect client? I want the user to have the option to select the connection profile so that they can choose MFA or not? Or have the user get an option to sign out so that there are prompted for Azure credentials again?

Tinei · ‎08-22-2021

Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.

Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .

View solution in original post

Milos_Jovanovic · ‎08-22-2021

Hi @Tinei,

You need to have multiple tunnel-groups on your ASA/FTD. One/some of them will be with SAML as authentication method, while others would have plain AAA method. If you have SAML configured on all tunnel-groups, then it is up to the conditional access policies on Azure side to determine whould they prompt the user for MFA or not, and how frequent.

From the client side, you should have multiple profiles mapping to different tunnel-groups, so the user can choose to which profile he/she connects. Once profile is selected, authentication regular process starts, depending on your ASA/FTD configuration.

BR,

Milos

Tinei · ‎08-22-2021

Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.

Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .

LovejitSingh130013 · ‎06-13-2022

Hello Tinei,

Does this means that now users are going through credentials and MFA every time? even if user connect to VPN and reconnecting to VPN after one hour ?

Mohammed al Baqari · ‎06-13-2022

Instead of doing it on FTD, it better to control it on AAD conditional
access using session control. This way you control how frequent you can
reauthenticate.

***** please remember to rate useful posts

Tinei · ‎06-13-2022

Yes, all users now go through MFA and its automated as long as their logged info Microsoft on any device.