Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
2
Helpful
5
Replies

Cisco RADIUS VPN support Authentication Groups?

egladwell
Level 1
Level 1

‎02-08-2024 06:57 AM - edited ‎02-08-2024 09:04 AM

Hello, we're looking to add MFA to our Cisco AnyConnect VPN. We found this article: https://duo.com/docs/ciscoasa-radius, which appears to be the setup we need.

We are wondering if after completing this setup we will still be able to use Active Directory group memberships to determine who has access to the VPN (i.e. only members of a specific group are able to sign into the VPN). In the past when we tried this, AnyConnect would ignore group membership; only prompting users who were already enrolled in DUO for MFA and anyone who was not enrolled in DUO would be granted access regardless of their group membership and would not be prompted for MFA.  

Labels:
0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎02-08-2024 08:55 AM

The link you shared seems to be broken. If you have ISE in your environment, then you can configure ISE with individual authorization rules pointing to the AD groups, and then apply the authorization profile you want for each one.

0 Helpful

egladwell
Level 1
Level 1
In response to Aref Alsouqi

‎02-08-2024 09:09 AM

Hi Aref, thank you for the response - I've fixed the link

I'm not sure I understand how ISE would help - we are currently using AD groups to limit AnyConnect users and it is working well. We want to make sure the groups will continue to work after changing the ASA settings for the VPN

Aref Alsouqi
VIP
VIP

‎02-09-2024 03:53 AM

Duo configuration will be used for authentication, and ISE would be used for authorization. When AnyConnect users tries to connect, they will be promoted to provided the authentication details, once they pass the authentication the authorization request will go to ISE, and ISE, and based on their AD group ISE will match the right authorization rule. Or, what you can do as well is configuring Duo as an external identity on ISE, and relay both authentication and authorization requests from the firewall to ISE. This is recommended because in this case you don't have to send two different requests from the firewall to two different entities, and also this will provide more visibility and control as everything will be managed by ISE.

0 Helpful

egladwell
Level 1
Level 1
In response to Aref Alsouqi

‎02-09-2024 04:41 AM

Hi Aref,

This sounds like it would work great! Are you able to point me to any directions for the ISE setup? 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to egladwell

‎02-09-2024 05:43 AM

Yes it should work just fine, I'd done a few times in the past and it works really well. I did a quick search and found this link, hopefully it will cover all what you need, but we are here if you have any further questions : - D

How to Setup Anyconnect Remote Access VPN w/ Cisco FMC and FTD Firewalls, utilizing ISE & Duo 2FA for Authentication and Authorization (lookingpoint.com)

0 Helpful
Customers Also Viewed These Support Documents