I want to integrate AnyConnect VPN authentication with Azure cloud MFA using our FirePower FTD 2100. I have found many configuration examples using ASA, but I can't find anything with FTD.
In the ASA examples, I need to configure the webvpn object, adding some SAML idp properties. Example:
webvpn saml idp https://sts.windows.net/xxxxxxxxxxxxx/ url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 trustpoint idp AzureAD-AC-SAML trustpoint sp no force re-authentication no signature base-url https://my.asa.com
But simply can't figure out how to make these config changes on the FTD! There is no "config t" mode in the FTD CLI. I can't find anything in the FTD CLI reference to help. And there is nothing in the FMC gui for this either. Is this even possible on an FTD 2100? thank you!
As of FTD/FMC v6.6, SAML is not supported for AnyConnect VPN, reference here.
Thank you. So, the only way to add MFA to FTD AnyConnect would be via a RADIUS integration, correct? And the only way to integrate with Azure MFA via RADIUS is with Microsoft NPS server, I think. We have an ISE server in very early stages of development, I wonder if it can integrate with Azure MFA, and then FTD AnyConnect would integrate with ISA RADIUS for MFA.
SAML support is tracked under https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05412
It is a committed feature and hopefully will be out in 6.7.
For MFA you may want to consider DUO.
In 6.5 we introduced FTD SSL VPN support using Duo LDAPS in our RA VPN connection profile. This is only available via the FTD Device REST API
Prior to the Firepower 6.5 release, we were able to use RADIUS, RADIUS Server Group, Active Directory and Local Identity Source as the authentication sources in an RA-VPN connection.
Since FDM 6.5.0, you can create a Duo LDAP identity source object through REST API and then can use this object in RA VPN connection profile as a secondary authentication identity source.
Thank you. Is Duo the only supported MFA solution in the 6.5 REST API? Or would any MFA solution that uses LDAPS work?
Should work with others. Haven't tested it myself though.
Here's the DUO example: