cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
0
Helpful
7
Replies

Cisco FTD - two VPN servers with Azure MFA

NetworkPitu
Level 1
Level 1

Hi guys,

in company we have 2 offices acting as HQs. In each of those offices we have Cisco FTD (Cisco Firepower 1140 Threat Defense) where we have set up Remote Access (P2S VPN) for our employees. Now we are implementing 2FA for those VPNs using Azure MFA (Microsoft Entra ID). I set up it and it is working. But only for one VPN server. And I want to do that for both. So if from AnyConnect user select vpn-one.domain.com he will authorize using Azure MFA and connected to this VPN server which is in one of our HQ office. Same thing for vpn-two.domain.com (our second HQ office). In AAA-Servers when I added Single Sign-on Server as SAML I can add only one base URL so for example only vpn-one.domain.com. When I added second AAA Server but with second VPN server url in Base URL I got error that there already is Identity ID of Enterprise App in Azure.

How can I set it up to have possibilitie to connect to both VPNs using SAML and Azure 2FA? 

2 Accepted Solutions

Accepted Solutions

Pavan Gundu
Cisco Employee
Cisco Employee

It is true that FMC does not allow us to create different SSO servers with same Entity ID. But all Azure applications under same AAD get the same Entity ID.

The solution for this is to enroll the Second Azure Application's IdP certificate to FTD.

When creating a new RAVPN connection profile use the same SSO server as the first one, but instead check an option "Override IdP Certificate" and select the second Azure Application's IdP trustpoint.

Save and deploy, it should work. I have tested it. Attached an image for your reference.

PavanGundu_0-1709170617672.png

 

View solution in original post

NetworkPitu
Level 1
Level 1

Hi,

basically I solved it. Thanks for advice. This cert override helps but I also had to select in SAML conf on FMC Allow Overrides and select our second HQ ftd and make changes like based url to vpn-two.domain.com and it worked. 

Thanks again

View solution in original post

7 Replies 7

Pavan Gundu
Cisco Employee
Cisco Employee

It is true that FMC does not allow us to create different SSO servers with same Entity ID. But all Azure applications under same AAD get the same Entity ID.

The solution for this is to enroll the Second Azure Application's IdP certificate to FTD.

When creating a new RAVPN connection profile use the same SSO server as the first one, but instead check an option "Override IdP Certificate" and select the second Azure Application's IdP trustpoint.

Save and deploy, it should work. I have tested it. Attached an image for your reference.

PavanGundu_0-1709170617672.png

 

Thank you for answer. But what about connecting to second Anyconnect VPN server? We have vpn-one.domain.com in one of our HQ office and vpn-two.domain.com in second HQ office. It will still connect to selected VPN servers? Like user if he select vpn-one and Policy for it then he will be connected to vpn-one and similar with vpn-two?

Yes, this is tested and should work.

NetworkPitu
Level 1
Level 1

Thank you for answer. But unfortunately I have still issue that when I enter vpn-two.domain.com and try to log in with second group, I have error that: Application with identifier 'https://vpn-one.domain.com/saml/sp/metadata/<Profile_Name>' was not found in the directory. That even if I want to connect to vpn-two it still trying to redirect to vpn-one

Does the Azure side have two different applications for different connection profile?

Azure side has 2 configs, it's just that on FMC we only need to configure SSO once and override the IdP certificate.

Yes, I set up second application but in SSO configuration on FMC there is putted as a base url: vpn-one.domain.com and I cannot add second base url. So our Anyconnect have to servers. vpn-one.domain.com which is connected while selecting device OneFirepower and also second device TwoFirepower which connect to vpn-two.domain.com

NetworkPitu
Level 1
Level 1

Hi,

basically I solved it. Thanks for advice. This cert override helps but I also had to select in SAML conf on FMC Allow Overrides and select our second HQ ftd and make changes like based url to vpn-two.domain.com and it worked. 

Thanks again