Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2177
Views
15
Helpful
5
Replies

FirePower Threat Defense FTD - Remote Access VPN AnyConnect with SAML IDP

cfitzgerald
Level 1
Level 1

‎04-08-2020 02:53 PM

I want to integrate AnyConnect VPN authentication with Azure cloud MFA using our FirePower FTD 2100. I have found many configuration examples using ASA, but I can't find anything with FTD.

In the ASA examples, I need to configure the webvpn object, adding some SAML idp properties. Example:

webvpn
  saml idp https://sts.windows.net/xxxxxxxxxxxxx/
  url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 
  url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 
  trustpoint idp AzureAD-AC-SAML
  trustpoint sp 
  no force re-authentication
  no signature
  base-url https://my.asa.com

But simply can't figure out how to make these config changes on the FTD! There is no "config t" mode in the FTD CLI. I can't find anything in the FTD CLI reference to help. And there is nothing in the FMC gui for this either. Is this even possible on an FTD 2100? thank you!

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎04-08-2020 02:59 PM

Hi,

As of FTD/FMC v6.6, SAML is not supported for AnyConnect VPN, reference here.

 

HTH

cfitzgerald
Level 1
Level 1
In response to Rob Ingram

‎04-08-2020 03:36 PM

Thank you. So, the only way to add MFA to FTD AnyConnect would be via a RADIUS integration, correct? And the only way to integrate with Azure MFA via RADIUS is with Microsoft NPS server, I think. We have an ISE server in very early stages of development, I wonder if it can integrate with Azure MFA, and then FTD AnyConnect would integrate with ISA RADIUS for MFA.

0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee
In response to cfitzgerald

‎04-08-2020 09:17 PM

SAML support is tracked under https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq05412

It is a committed feature and hopefully will be out in 6.7.

 

For MFA you may want to consider DUO.

In 6.5 we introduced FTD SSL VPN support using Duo LDAPS in our RA VPN connection profile. This is only available via the FTD Device REST API

 

Prior to the Firepower 6.5 release, we were able to use RADIUS, RADIUS Server Group, Active Directory and Local Identity Source as the authentication sources in an RA-VPN connection.

Since FDM 6.5.0, you can create a Duo LDAP identity source object through REST API and then can use this object in RA VPN connection profile as a secondary authentication identity source.

 

-Gustavo

cfitzgerald
Level 1
Level 1
In response to Gustavo Medina

‎04-09-2020 07:54 AM

Thank you. Is Duo the only supported MFA solution in the 6.5 REST API? Or would any MFA solution that uses LDAPS work?

0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee
In response to cfitzgerald

‎04-09-2020 07:58 AM

Hi,

Should work with others. Haven't tested it myself though.

Here's the DUO example:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/215234-multi-factor-authentication-using-duo-l.html

 

-Gustavo

0 Helpful
Customers Also Viewed These Support Documents