cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
61216
Views
40
Helpful
36
Replies

How to use cloud Azure MFA with ASA Vpn and Cisco AnyConnect?

davidbnbf
Level 1
Level 1

I can find a bunch of documentation on how to install an on premise Azure MFA server however we are already setup for the cloud version of MFA and don't want to migrate on premise with that.  I would like to integrate our Cisco ASA VPNs using Cisco AnyConnect Secure Mobility client to use the cloud based Azure MFA and Microsoft Authenticator.  Is this possible?  Anyone tried this or point me in the right direction on the minimum amount of work to configure this setup?

36 Replies 36

Hi David,

 

Thanks for the quick response. group-lock works perfectly fine for users not MFA-enabled. But for users with MFA, it seems like it's not working. We need to match AD group to corresponding group policy in ASA but no luck for that. We use this link as a reference:

 

https://supportforums.cisco.com/t5/security-documents/steps-to-configure-group-lock-for-vpn-users-on-microsoft-radius/ta-p/3151643

 

Thanks for the help.

 

Hi David,



Thanks for the quick response. group-lock works perfectly fine for users not MFA-enabled. But for users with MFA, it seems like it's not working. We need to match AD group to corresponding group policy in ASA but no luck for that. We use this link as a reference:



https://supportforums.cisco.com/t5/security-documents/steps-to-configure-group-lock-for-vpn-users-on-microsoft-radius/ta-p/3151643



Thanks for the help.

I have ASA 9.7 and above doing SAML directly to Azure and have the ASA configured to point to our ISE server for authorization only. I am able to login with SAML / MFA and assign the user to a group-policy based on their AD group assignment. I would assume you can point to an NPS server for authorization only as well. The authentication port is required to do authorization only.

 

aaa-server ISESAML protocol radius
authorize-only
aaa-server ISESAML (management) host 1.1.1.1
key *****
authentication-port 1812
accounting-port 1813
aaa-server ISESAML (management) host 10.1.1.2
key *****
authentication-port 1812
accounting-port 1813

@MARK BAKER , interested to do same setup as you mentioned. Can you provide more details in how to set this up?
How does the config for ASA to Azure for MFA look like? Where can we get Azure MFA IPs? What's needed on Azure side? How does ISE config look like? Thanks!

Hi,

 

We are planning to use the Cloud hosted Azure MFA. We are moving our infra from on premises to Cloud, as of now we have NPS in the on premises.

 

We are Going to deploy the AnyConnect in ASAv hosted in Azure cloud in this scenario whether can we use the new NPS server along with the NPS extension or whether we can use the existing NPS server which one would be most opted solution.

 

And also could you please update us whether did you used both the link or you had referred any one link. If both could you please help us to understand which link is for what purpose

We use ASA on premise and NPS extension and it works great for a year now. I am very interested if you would report back your experience with ASAv in Azure or AWS as we are thinking of doing that next but have not yet.

Thanks for the quick response. So you had used the existing NPS and used NPS extensions to integrate with MFA.

Could you please also confirm you had deploymed the NPS  and extension in On prem or in Cloud hosted server. 

 

And also are you using the same NPS for rest of the other services i mean apart from the VPN authentication

We deployed on premise with Azure MFA NPS extensions. Works great.

Hi quick question,

 

Do you only need for VPN? 

 

Is there any other MFA being used such as the workstation access or into Office 365?

@k.dixon See my post when you can. 


@Steph.Kindel wrote:

Hi quick question,

 

Do you only need for VPN? 

 

Is there any other MFA being used such as the workstation access or into Office 365?


 


@Steph.Kindel wrote:

Hi quick question,

 

Do you only need for VPN? 

 

Is there any other MFA being used such as the workstation access or into Office 365?


I consider Office 365 without MFA enabled, a completely insecure product.   So yes we do use MFA also for Office 365 however we utilize Conditional Access policies so that MFA is only needed on untrusted devices off the corp net so it is invisible to the users until they are logging in from a high risk location.  

So we use MFA for Office 365 and were using RSASecureID for VPN with Cisco ASA.  It didn't make sense to use two products and pay thousands for RSA.  Azure MFA is free and in my opinion way better than most other products and works fantastic for integrating with Cisco ASA!  0 issues 

you can also use the MFA extensions for NPS to act as a local proxy to Azure MFA.

what if you already have on-prem Radius servers for your ASAs, but just want to use the MFA portion in the cloud for Azure.  Is that possible?

Amafsha1,

You can use SAML for authentication and use your on-prem RADIUS servers for authorization. I posted previously showing how to make the on-prem RADIUS servers authorization only servers when using SAML for authentication.

Hi community.

FYI, Azure MFA with NPS ended 1st July 2019. Existing are being maintained for now but new customers should go for cloud MFA with SAML.

 

A new question please, is it possible to have 2 different policies. For example to have multiple group policies with each authenticated against a different Azure AD group. We're currently using azure for ssl VPN authentication. We'd like to enable the same for Anyconnect client with different group-policies using different AD groups.

Do you know if this is possible?

Cheers!