Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
4
Replies

Cisco ASA RA VPN with Azure AD and MFA

mikiNet
Level 1
Level 1

‎01-20-2022 12:08 AM

Dear Sec Team,

I have a question about Remote Access VPN on ASA. I want to configure authentication for users based on Azure AD using login and password, additionally after input credentials it ask me for second auth based on MFA. I found this document: 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

 

It is very helpful, but it is for ALL users. In my network I have couple of users groups who should be part of different GROUP-POLICY. For all groups, all users should be authenticate by the same way, but they must be assing to different GROUP-POLICY. I always used ldap integration with ldap-mapping but it was LOCAL AD. We don't have ISE. Is it possible to assing users to different group when I want to use Azure AD/MFA ?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 03:32 AM 

 Is it possible to assing users to different group when I want to use Azure AD/MFA ?

as i understand correctly you like to use different Groups for authentication, i do not see issue, as long the profiles are bind to use that source.

 

or you having issue configuring the same ?

 

create a test profile and add users to that and test it.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

mikiNet
Level 1
Level 1

‎01-20-2022 03:53 AM

To better understand I describe connection phases:

1. Client run Anyconnect and connect to my ASA

2. Client must receive prompt for username and password

3. After right credentials, should also receive prompt from MS Authenticator

4. After right token/push/sms it should connect to corporate network

 

AD and MS Authenticator is on Azure Cloud, configuration is very simple because I paste config guide to this topic, but this config guide desribe situation where we treat all users the same, but in my situation users belong to different group, this groups should has different access premission and my question is based on this, so how solve this situation ? How ASA know to which group user will belong ? If I had local AD it wouldn't be a problem because I can use LDAP and LDAP-MAP, but I want to use Azure.

0 Helpful

mikiNet
Level 1
Level 1

‎01-20-2022 05:27 AM

I found the solution:

for multiple tunnel groups I'll need to add multiple applications (2 of them in your case) on Azure side as well

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to mikiNet

‎01-20-2022 06:14 AM

Nice that you resolved. and thanks for the feedback.!

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents