Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
7
Replies

Cisco FTD - two VPN servers with Azure MFA

Go to solution
NetworkPitu
Level 1
Level 1

‎02-28-2024 03:34 AM

Hi guys,

in company we have 2 offices acting as HQs. In each of those offices we have Cisco FTD (Cisco Firepower 1140 Threat Defense) where we have set up Remote Access (P2S VPN) for our employees. Now we are implementing 2FA for those VPNs using Azure MFA (Microsoft Entra ID). I set up it and it is working. But only for one VPN server. And I want to do that for both. So if from AnyConnect user select vpn-one.domain.com he will authorize using Azure MFA and connected to this VPN server which is in one of our HQ office. Same thing for vpn-two.domain.com (our second HQ office). In AAA-Servers when I added Single Sign-on Server as SAML I can add only one base URL so for example only vpn-one.domain.com. When I added second AAA Server but with second VPN server url in Base URL I got error that there already is Identity ID of Enterprise App in Azure.

How can I set it up to have possibilitie to connect to both VPNs using SAML and Azure 2FA? 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee

‎02-28-2024 05:37 PM

It is true that FMC does not allow us to create different SSO servers with same Entity ID. But all Azure applications under same AAD get the same Entity ID.

The solution for this is to enroll the Second Azure Application's IdP certificate to FTD.

When creating a new RAVPN connection profile use the same SSO server as the first one, but instead check an option "Override IdP Certificate" and select the second Azure Application's IdP trustpoint.

Save and deploy, it should work. I have tested it. Attached an image for your reference.

PavanGundu_0-1709170617672.png

 

View solution in original post

0 Helpful

Go to solution
NetworkPitu
Level 1
Level 1

‎03-06-2024 07:35 AM

Hi,

basically I solved it. Thanks for advice. This cert override helps but I also had to select in SAML conf on FMC Allow Overrides and select our second HQ ftd and make changes like based url to vpn-two.domain.com and it worked. 

Thanks again

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee

‎02-28-2024 05:37 PM

It is true that FMC does not allow us to create different SSO servers with same Entity ID. But all Azure applications under same AAD get the same Entity ID.

The solution for this is to enroll the Second Azure Application's IdP certificate to FTD.

When creating a new RAVPN connection profile use the same SSO server as the first one, but instead check an option "Override IdP Certificate" and select the second Azure Application's IdP trustpoint.

Save and deploy, it should work. I have tested it. Attached an image for your reference.

PavanGundu_0-1709170617672.png

 

0 Helpful

Go to solution
NetworkPitu
Level 1
Level 1
In response to Pavan Gundu

‎02-29-2024 03:58 AM

Thank you for answer. But what about connecting to second Anyconnect VPN server? We have vpn-one.domain.com in one of our HQ office and vpn-two.domain.com in second HQ office. It will still connect to selected VPN servers? Like user if he select vpn-one and Policy for it then he will be connected to vpn-one and similar with vpn-two?

0 Helpful

Go to solution
Pulkit Mittal
Spotlight
Spotlight
In response to NetworkPitu

‎02-29-2024 04:00 AM

Yes, this is tested and should work.

0 Helpful

Go to solution
NetworkPitu
Level 1
Level 1

‎02-29-2024 06:20 AM

Thank you for answer. But unfortunately I have still issue that when I enter vpn-two.domain.com and try to log in with second group, I have error that: Application with identifier 'https://vpn-one.domain.com/saml/sp/metadata/<Profile_Name>' was not found in the directory. That even if I want to connect to vpn-two it still trying to redirect to vpn-one

0 Helpful

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee
In response to NetworkPitu

‎02-29-2024 08:17 AM

Does the Azure side have two different applications for different connection profile?

Azure side has 2 configs, it's just that on FMC we only need to configure SSO once and override the IdP certificate.

0 Helpful

Go to solution
NetworkPitu
Level 1
Level 1
In response to Pavan Gundu

‎02-29-2024 08:25 AM

Yes, I set up second application but in SSO configuration on FMC there is putted as a base url: vpn-one.domain.com and I cannot add second base url. So our Anyconnect have to servers. vpn-one.domain.com which is connected while selecting device OneFirepower and also second device TwoFirepower which connect to vpn-two.domain.com

0 Helpful

Go to solution
NetworkPitu
Level 1
Level 1

‎03-06-2024 07:35 AM

Hi,

basically I solved it. Thanks for advice. This cert override helps but I also had to select in SAML conf on FMC Allow Overrides and select our second HQ ftd and make changes like based url to vpn-two.domain.com and it worked. 

Thanks again

0 Helpful
Customers Also Viewed These Support Documents