cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
59318
Views
40
Helpful
36
Replies

How to use cloud Azure MFA with ASA Vpn and Cisco AnyConnect?

davidbnbf
Level 1
Level 1

I can find a bunch of documentation on how to install an on premise Azure MFA server however we are already setup for the cloud version of MFA and don't want to migrate on premise with that.  I would like to integrate our Cisco ASA VPNs using Cisco AnyConnect Secure Mobility client to use the cloud based Azure MFA and Microsoft Authenticator.  Is this possible?  Anyone tried this or point me in the right direction on the minimum amount of work to configure this setup?

36 Replies 36

Steph.Kindel
Level 1
Level 1

Are you married to using Azure MFA? 

 

I'd look at a solution that can do what you're looking for via hybrid, one of which is DigitalPersona Authentication if you've heard of them. 

I was actually able to get Cloud Azure MFA working perfectly with Cisco ASA VPN.    It took a little bit but its an awesome combination and works in conjunction with our office 365.

HI There. can you share how you did that. very useful...

We are in the same boat looking for MFA for our Cisco AnyConnect VPN.  We use Office 365 so Azure makes sense.

 

Did you install an MFA server on-prem or were you able to get it to work with the Azure MFA service?

 

The documentation is written in 2015 and says minimum requirements of a Windows 2003 server.  Makes me wonder how legit this is.


@k.dixon wrote:

We are in the same boat looking for MFA for our Cisco AnyConnect VPN.  We use Office 365 so Azure makes sense.

 

Did you install an MFA server on-prem or were you able to get it to work with the Azure MFA service?

 

The documentation is written in 2015 and says minimum requirements of a Windows 2003 server.  Makes me wonder how legit this is.


We are using the cloud version of Azure MFA NOT on premise.  It was literally 15 minutes to setup and get working.

These two documents where all I needed to configure a Windows (NPS)Radius server to support Azure MFA.  Then you point your VPN profile to the windows radius server.    We used Windows server 2016 for the NPS server. 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

 

Also as a bonus I've included the scripts I wrote to automatically enable and configure MFA for users using SMS TXT option instead of making the users go through the annoying enrollment process.  Hope this helps.

 

THIS SCRIPT SHOULD BE RUN ON ALL NEW USER ACCOUNTS THAT ARE ABLE TO AUTHENTICATOR WITH OFFICE365/AZURE RESOURCES

 

# CONNECT TO MSOLSERVICE

Import-Module MSOnline

Connect-MSOLService

 

# DEFINE VARIABLES

$strongAuthMethod = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$strongAuthMethod.MethodType = "OneWaySMS"

$strongAuthMethod.IsDefault = $true

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$auth.RelyingParty = "*"

 

#SET SINGLE USER FOR MFA

Set-MsolUser -UserPrincipalName username@domain.com -StrongAuthenticationMethods $strongAuthMethod

 

 

 

 

 

----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A GROUP OF USERS----

# SET MFA FOR GROUP - DOES NOT AFFECT USERS IN GROUP THAT ALREADY HAVE MFA CONFIGURED

$group = Get-MsolGroup -all |Out-GridView -PassThru

$members = Get-MsolGroupMember -GroupObjectId $group.ObjectId

$users = $members | Where-Object {$_.GroupMemberType -eq "User"}

foreach($user in $users)

{

    if((Get-MsolUser -UserPrincipalName $user.EmailAddress).StrongAuthenticationMethods.count -eq 0)

    {

        Set-MsolUser -UserPrincipalName $user.EmailAddress -StrongAuthenticationMethods $strongAuthMethod

    }   

 }

 

 

----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A LIST OF USERS----

# SET MFA FOR LIST OF USERS

Get-Content "C:\support\list.txt" | foreach {Set-MsolUser -UserPrincipalName $_ -StrongAuthenticationMethods $strongAuthMethod}

Where does this script run and when? What type of file is it? Thanks.


@davidbnbf wrote:

Also as a bonus I've included the scripts I wrote to automatically enable and configure MFA for users using SMS TXT option instead of making the users go through the annoying enrollment process.  Hope this helps.

 

THIS SCRIPT SHOULD BE RUN ON ALL NEW USER ACCOUNTS THAT ARE ABLE TO AUTHENTICATOR WITH OFFICE365/AZURE RESOURCES

 

# CONNECT TO MSOLSERVICE

Import-Module MSOnline

Connect-MSOLService

 

# DEFINE VARIABLES

$strongAuthMethod = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod

$strongAuthMethod.MethodType = "OneWaySMS"

$strongAuthMethod.IsDefault = $true

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$auth.RelyingParty = "*"

 

#SET SINGLE USER FOR MFA

Set-MsolUser -UserPrincipalName username@domain.com -StrongAuthenticationMethods $strongAuthMethod

 

 

 

 

 

----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A GROUP OF USERS----

# SET MFA FOR GROUP - DOES NOT AFFECT USERS IN GROUP THAT ALREADY HAVE MFA CONFIGURED

$group = Get-MsolGroup -all |Out-GridView -PassThru

$members = Get-MsolGroupMember -GroupObjectId $group.ObjectId

$users = $members | Where-Object {$_.GroupMemberType -eq "User"}

foreach($user in $users)

{

    if((Get-MsolUser -UserPrincipalName $user.EmailAddress).StrongAuthenticationMethods.count -eq 0)

    {

        Set-MsolUser -UserPrincipalName $user.EmailAddress -StrongAuthenticationMethods $strongAuthMethod

    }   

 }

 

 

----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A LIST OF USERS----

# SET MFA FOR LIST OF USERS

Get-Content "C:\support\list.txt" | foreach {Set-MsolUser -UserPrincipalName $_ -StrongAuthenticationMethods $strongAuthMethod}


 

Hi quick question,



Do you only need for VPN?



Is there any other MFA being used such as the workstation access or into Office 365?

So with this setup all users that are MFA enabled can authenticate on a VPN session? Is there a way to filter MFA -enabled users via AD group. As we noticed, as soon as MFA is enabled, users can connect to VPN. Or am I missing something?

 

Thanks,

Hi -

 

I guess my question is there a way to configure group-lock for VPN users on the Microsoft RADIUS server

when MFA is enabled? Need to assign users to a group policy in ASA depending on their AD group.


@k.dixon wrote:

Hi -

 

I guess my question is there a way to configure group-lock for VPN users on the Microsoft RADIUS server

when MFA is enabled? Need to assign users to a group policy in ASA depending on their AD group.


Of course you can filter by AD group using the radius server.   However if you want your radius server to use azure MFA it must be dedicated to azure MFA so you will need 2 radius servers if you need some people to not use azure mfa.  One you enable the NPS extensions on the radius server they are enabled for all requests.  Not that big of a deal but important to know.

We have AD groups specifying different vpn filters for access to different things as well as who has access.

Do you have a personal or business email I could respond to you on?

Actually try

Stephanie. Kindel at Crossmatch dot com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: