cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
217
Views
10
Helpful
5
Replies
Highlighted
Beginner

FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

I want to integrate AnyConnect VPN authentication with Azure cloud MFA using our FirePower FTD 2100. I have found many configuration examples using ASA, but I can't find anything with FTD.

In the ASA examples, I need to configure the webvpn object, adding some SAML idp properties. Example:

webvpn
  saml idp https://sts.windows.net/xxxxxxxxxxxxx/
  url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 
  url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 
  trustpoint idp AzureAD-AC-SAML
  trustpoint sp 
  no force re-authentication
  no signature
  base-url https://my.asa.com

But simply can't figure out how to make these config changes on the FTD! There is no "config t" mode in the FTD CLI. I can't find anything in the FTD CLI reference to help. And there is nothing in the FMC gui for this either. Is this even possible on an FTD 2100? thank you!

5 REPLIES 5
Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

Hi,

As of FTD/FMC v6.6, SAML is not supported for AnyConnect VPN, reference here.

 

HTH

Highlighted
Beginner

Re: FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

Thank you. So, the only way to add MFA to FTD AnyConnect would be via a RADIUS integration, correct? And the only way to integrate with Azure MFA via RADIUS is with Microsoft NPS server, I think. We have an ISE server in very early stages of development, I wonder if it can integrate with Azure MFA, and then FTD AnyConnect would integrate with ISA RADIUS for MFA.

Highlighted
Cisco Employee

Re: FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

SAML support is tracked under https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05412

It is a committed feature and hopefully will be out in 6.7.

 

For MFA you may want to consider DUO.

In 6.5 we introduced FTD SSL VPN support using Duo LDAPS in our RA VPN connection profile. This is only available via the FTD Device REST API

 

Prior to the Firepower 6.5 release, we were able to use RADIUS, RADIUS Server Group, Active Directory and Local Identity Source as the authentication sources in an RA-VPN connection.

Since FDM 6.5.0, you can create a Duo LDAP identity source object through REST API and then can use this object in RA VPN connection profile as a secondary authentication identity source.

 

-Gustavo

Highlighted
Beginner

Re: FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

Thank you. Is Duo the only supported MFA solution in the 6.5 REST API? Or would any MFA solution that uses LDAPS work?

Highlighted
Cisco Employee

Re: FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

Hi,

Should work with others. Haven't tested it myself though.

Here's the DUO example:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/215234-multi-factor-authentication-using-duo-l.html

 

-Gustavo