I can find a bunch of documentation on how to install an on premise Azure MFA server however we are already setup for the cloud version of MFA and don't want to migrate on premise with that. I would like to integrate our Cisco ASA VPNs using Cisco AnyConnect Secure Mobility client to use the cloud based Azure MFA and Microsoft Authenticator. Is this possible? Anyone tried this or point me in the right direction on the minimum amount of work to configure this setup?
Thanks for the quick response. group-lock works perfectly fine for users not MFA-enabled. But for users with MFA, it seems like it's not working. We need to match AD group to corresponding group policy in ASA but no luck for that. We use this link as a reference:
Thanks for the help.
I have ASA 9.7 and above doing SAML directly to Azure and have the ASA configured to point to our ISE server for authorization only. I am able to login with SAML / MFA and assign the user to a group-policy based on their AD group assignment. I would assume you can point to an NPS server for authorization only as well. The authentication port is required to do authorization only.
aaa-server ISESAML protocol radius
aaa-server ISESAML (management) host 188.8.131.52
aaa-server ISESAML (management) host 10.1.1.2
@MARK BAKER , interested to do same setup as you mentioned. Can you provide more details in how to set this up?
How does the config for ASA to Azure for MFA look like? Where can we get Azure MFA IPs? What's needed on Azure side? How does ISE config look like? Thanks!
We are planning to use the Cloud hosted Azure MFA. We are moving our infra from on premises to Cloud, as of now we have NPS in the on premises.
We are Going to deploy the AnyConnect in ASAv hosted in Azure cloud in this scenario whether can we use the new NPS server along with the NPS extension or whether we can use the existing NPS server which one would be most opted solution.
And also could you please update us whether did you used both the link or you had referred any one link. If both could you please help us to understand which link is for what purpose
Thanks for the quick response. So you had used the existing NPS and used NPS extensions to integrate with MFA.
Could you please also confirm you had deploymed the NPS and extension in On prem or in Cloud hosted server.
And also are you using the same NPS for rest of the other services i mean apart from the VPN authentication
Hi quick question,
Do you only need for VPN?
Is there any other MFA being used such as the workstation access or into Office 365?
I consider Office 365 without MFA enabled, a completely insecure product. So yes we do use MFA also for Office 365 however we utilize Conditional Access policies so that MFA is only needed on untrusted devices off the corp net so it is invisible to the users until they are logging in from a high risk location.
So we use MFA for Office 365 and were using RSASecureID for VPN with Cisco ASA. It didn't make sense to use two products and pay thousands for RSA. Azure MFA is free and in my opinion way better than most other products and works fantastic for integrating with Cisco ASA! 0 issues
You can use SAML for authentication and use your on-prem RADIUS servers for authorization. I posted previously showing how to make the on-prem RADIUS servers authorization only servers when using SAML for authentication.
FYI, Azure MFA with NPS ended 1st July 2019. Existing are being maintained for now but new customers should go for cloud MFA with SAML.
A new question please, is it possible to have 2 different policies. For example to have multiple group policies with each authenticated against a different Azure AD group. We're currently using azure for ssl VPN authentication. We'd like to enable the same for Anyconnect client with different group-policies using different AD groups.
Do you know if this is possible?