I would like to enable 2FA authentication for users, but I am struggling to find a way to do this without AD. I am using Azure AD. I've found up until now the following options, but I am not able to use any of them:
1. Duo authproxy - requires AD or Radius connection as a primary authentication point
2. Local FTD accounts and Duo as a secondary factor - it works perfectly but only for FTD managed via FDM. Is it possible to have this configuration while using FMC?
3. SAML authentication to Azure AD - available only for ASA, not available as per 6.6 for FTD
4. Azure MFA server (similar to OKTA Radius) - not available for new implementations since Jul 2019
Do you have any other ideas on how to configure MFA for VPN?
If you can wait until FTD 6.7 (due out in just a few weeks) you can use SAML with Azure AD and its MFA. I've done this for several ASA-based VPNs and it's the simplest solution by far.
When available, saml is the way to go, but most probably it will take time until 6.7 will be a stable release.
I've tried a workaround in my lab by leveraging secondary authentication, I've configured ise as primary radius, azure as secondary one and it works.
The downside is that you have to enter the password twice, but configuring azure to not validate user and check for second factor only (don't ask me how, the MS guy did it) you can leave the secondary password field blank.
Forgot to mention that secondary radius on ftd doesn't point directly to azure but to an internal nps server, which has a connector to azure for second factor
Quite a complex setup, but it seems to work
Putting ISE and NPS generates quite an additional cost. Also, an option is to go for CDO management, local authentication, and Duo as secondary authentication. I didn't do the test, but in theory, Duo authproxy and Azure AD as an LDAP primary authentication should work. However, this generates additional cost for Azure AD because of the AAD DS license. Thank you all for your replies, now I know the options and is only a matter of a decision in which direction we should go.
If you don't have budget for ise you can go with nps alone, much less flexible but it can cover basic authorization needs as well as 2fa against azure
I'm sorry but I don't know, I'm not an MS guy, I can only bring to you the results of my lab where the NPS/Azure part was managed by another guy.
In my case I know for sure there were on premise DCs, and most probably NPS was joined to them, but I cannot tell you if you can skip that part.