Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3166
Views
16
Helpful
11
Replies

FTD Anyconnect + Azure AD MFA and ISE posture

net87
Level 1
Level 1

‎04-09-2021 06:16 AM

Hi, 

 

We are trying to build a Anyconnect VPN on FTD  which is currently being authenticated using ISE and all compliant checks via posture is done.

 

We expect to integrate Azure MFA using Azure AD on ISE , we did review documents using DUO as an external Radius server

 

 

Is there any specific document and recommendations which we can use to just add a 2 FA using Azure AD and keeping ISE policies intact for authentication

 

or 

 

We used Azure as an Authentication using Azure AD and SAML then how I would integrated ISE for posture checks authentication , does this means ISE will only act as authorization.

 

Additionally if I am using SAML cert then how my usual FQDN will be used directed to outside IP of FTD.

 

 

Rgds

Sam

Labels:
0 Helpful
11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-09-2021 10:26 AM

When you use Azure MFA with remote access VPN on FTD, it is generally via SAML. The MFA all takes place on the Azure backend of the equation so FTD really doesn't know about it.

You are correct - ISE posture check is then part of the Authorization process and happens during ISE's processing of the Authorization policy conditions and results. In that case, ISE doesn't need to be used by FTD as an authentication server. It is only the Authorization server.

net87
Level 1
Level 1
In response to Marvin Rhoads

‎04-10-2021 10:02 PM

Thanks Marvin, 

 

I am looking to use Azure MFA like cisco has provided some use cases for DUO. Is there any expected support to use Azure MFA like DUO as external proxy.

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to net87

‎04-11-2021 05:14 AM - edited ‎04-11-2021 05:15 AM

Not at this time. I believe it's because Azure MFA is more of an add-on to Azure AD rather than a full-featured MFA solution like Duo.

0 Helpful

masees85
Level 1
Level 1
In response to Marvin Rhoads

‎01-30-2024 06:36 AM

Hi Marvin,

In this case if ISE will work as Authorization server how it will differentiate between users? how it will identify this is user X to provide him certain ACL or policy, and this is user Y provide him another policy or ACL, especially the users using Azure AD not local AD 

 

Thank you 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎04-09-2021 12:12 PM

Hi Sam,

I've did something similar, and this was my setup:

  • ASA (or FTD in your case) is directly integrated with Azure AD via SAML (bear in mind that SSO for RA VPN comes in v6.7)
  • AAD (Azure AD) is performing validations, also known as Conditional Access (MFA is one of the existing conditions), and permits or denies access
  • Upon successful authentication, ASA proceeds with authorization against ISE (ISE is defined as authorize-only server)
  • On ISE you build policies same as for any other VPN service. If you want to use dedicated policy set for this setup, you can even configure Deny Any under authentication policy, as it really doesn't matter what have you configured here since it is authorize-only server. In your case, you define posture check.

Integration with Duo can be done as an integration with RADIUS server (or RADIUS Token), in which you can point ISE to ask Duo Authentication Proxy for approval, and from that standpoint, ASA/FTD only communicate with ISE. However, there is no SSO experience.

I'm not sure that I understand question about cert and FQDN. Certificate that you configure under SAML configuration is only used for encrypted communication between AAD-ASA, and it has nothing to do with certificate which is configured for RA VPN and visible to end users.

Regards

Milos

joseponceiii
Level 1
Level 1

‎08-20-2021 12:10 AM

Hi @Milos_Jovanovic , thanks for the useful info. 

Just a follow up question - We are looking into integrating Azure AD with ASAs and based on your 2nd bullet point, we could configure this with MFA as part of the AAD authentication. Our existing ASA config already consisted of DUO integration as "secondary-authentication-server-group" and I want to know if we would want to integrate to AAD, do we necessarily need this configuration since the AAD itself will handle the MFA (Duo in this case)? And we will just configure ISE as either "authorization-server-group" as part of the tunnel group or "authorize-only" in aaa-server (please see below for my clarification), then will proceed its posture checks, authorization policies?

 

Do you have idea what is the difference between configuring below? What I mean was the tunnel-group itself can be configured with "authentication-server-group" instead of "authorization-server-group" and can define "authorize-only" under aaa-server. Do they have any difference?

 

aaa-server ISE-NEW protocol radius

 authorize-only

 

OR

 

tunnel-group SSL_VPN webvpn-attributes

 authorization-server-group ISE-NEW

 

Thanks in advance.

 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to joseponceiii

‎08-20-2021 12:34 AM

Hi @joseponceiii,

You actually need both of them.

In normal RADIUS flow, AAA server is used for authentication, and authorization comes after successful authentication. In this flow, AAA server is aware of authentication phase. When using scenario I described, you are doing authentication against AAD, so ISE is not aware of the authentication part. Option 'authorize-only' permits usage of ISE in such scenario, and ISE receives 'authorize-only' request from ASA/FTD, and proceeds with processing (otherwise it would drop it, as it didn't received authentication before authorization). In order not to mess up with your existing setup, I would advise creation of new aaa-server group, more-less same as your existing one, but with 'authorize-only' option.

In tunnel-group section, you are just invoking previosly configured aaa-server group, and instruct ASA to perform additional authorization, upon authentication completes. I would advise something like this:

tunnel-group SSL_VPN webvpn-attributes

 authorization-server-group ISE-NEW         -- calling for additional authorization

 accounting-server-group ISE-NEW            -- sending accounting logs to ISE, important for licensing part

 authorization-required                                -- requiring successfull auhorization, before permitting access

BR,

Milos

joseponceiii
Level 1
Level 1
In response to Milos_Jovanovic

‎08-20-2021 12:52 AM

Thanks for the very quick response @Milos_Jovanovic . Really appreciate it.

There's some question that I think is not yet answered relating to our existing "secondary-authentication-server-group" for DUO - 2nd password field during client initializing.

The configuration looks something :

 

aaa-server Duo protocol ldap

aaa-server Duo host api-xxxxxx.duosecurity.com

 

then it's applied to tunnel-group something like :

 

tunnel-group SSL_VPN general-attributes

 authentication-server-group ISE-NEW

 secondary-authentication-server-group Duo use-primary-username

 accounting-server-group ISE-NEW

 default-group-policy xxx_xxxx

 

Based on my understanding, this is no longer needed (Duo in ASA) am I correct? As the MFA (push, phone,etc.) is integrated directly from Azure AD. That's what I understand and please correct me if I'm wrong. I'm thinking of just not basically including the Duo part integration in ASA in any of the configuration and let the AAD do it's MFA/2FA thing.

 

Thanks again,

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to joseponceiii

‎08-20-2021 05:12 AM

If you'll be using Azure MFA, then you probably don't need Duo. You'll need to configure conditional access policy on Azure side, in order to prompt users for MFA.

BR,

Milos

0 Helpful

joseponceiii
Level 1
Level 1

‎08-20-2021 12:59 AM

Overall, this is what I'm looking to configure on ASA 

 

tunnel-group SSL_VPN type remote access

tunnel-group SSL_VPN general-attributes

  address-pool VPNPool

  authorization-server-group ISE-NEW

  accounting-server-group ISE-NEW

  default-group-policy client_group

tunnel-group SSL_VPN webvpn-attributes 

 saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxx/

  authentication saml

 group-alias saml enable

 

Plus the webvpn + trustpoint configuration part found in Azure portal documentation:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect

 

ISE posture is configured already; no changes needed I supposed. It has "Continue" set in Authentication policy. Then the usual posture authorization profiles/policies.

Any more recommendation?

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to joseponceiii

‎08-20-2021 05:20 AM

Yes, this looks ok in general.

I would advise to add 'authorization-required' under tunnel-group.

Also, please note that sign-out URL described in this guide is not the correct one anymore, and not updated in the guide. You'll need to check and copy it from your application from Azure. It will be something like 'url sign-out https://login.microsoftonline.com/XXXXXX/saml2'

No, this will not affect your posture policies.

BR,

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents