Solved: Re: Integrating Cisco Anyconnect to the Cisco ISE

SandeepNaga · ‎01-10-2025

I would like to know the possibilities of Integrating the Cisco AnyConnect with Cisco ISE and recommendations for configurations. And would like to know in case of any cons and challenges. Would be great if I get the details of the step by step integration. Thank you in advance.

Rob Ingram · ‎01-10-2025

@SandeepNaga it's pretty straight forward integrating ASA/FTD Remote Access VPN with ISE.

Examples:-

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215432-configure-ssl-anyconnect-with-ise-authen.html

https://integratingit.wordpress.com/2018/03/11/ccnp-simos-asa-anyconnect-ssl-vpn/

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/221632-configure-anyconnect-vpn-to-ftd-via-ikev.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

View solution in original post

Rob Ingram · ‎01-10-2025

@SandeepNaga the most secure Remote Access VPN authentication is using Two Factor authentication. One factor can be RADIUS (ISE) which can authenticate the users against AD and the second factor using either certificate or MFA (i.e., Cisco DUO).

View solution in original post

Rob Ingram · ‎01-10-2025

@SandeepNaga

https://www.youtube.com/watch?v=4oJXzySs0tM

https://duo.com/docs/ciscoise-radius

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215672-integrate-duo-saml-sso-with-anyconnect-s.html

View solution in original post

Rob Ingram · ‎01-10-2025

@SandeepNaga it's pretty straight forward integrating ASA/FTD Remote Access VPN with ISE.

Examples:-

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215432-configure-ssl-anyconnect-with-ise-authen.html

https://integratingit.wordpress.com/2018/03/11/ccnp-simos-asa-anyconnect-ssl-vpn/

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/221632-configure-anyconnect-vpn-to-ftd-via-ikev.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

Rob Ingram · ‎01-10-2025

@SandeepNaga here are some videos that might help too

https://www.youtube.com/watch?v=UjCqI-WUzWA

https://www.youtube.com/watch?v=L5UgP-jw0es

From an ISE perspective the configuration is the same whether the VPN headend is an ASA or FTD.

SandeepNaga · ‎01-10-2025

That's very helpful. Thank you Rob.

And would like to know any challenges in case of using RADIUS as authentication, just wanted to know to be on safer side, in case of any known issues. Thank you.

Much Appreciated for your help. Thank you.

Rob Ingram · ‎01-10-2025

@SandeepNaga the most secure Remote Access VPN authentication is using Two Factor authentication. One factor can be RADIUS (ISE) which can authenticate the users against AD and the second factor using either certificate or MFA (i.e., Cisco DUO).

SandeepNaga · ‎01-10-2025

@Rob Ingram Thank you very much Rob.

SandeepNaga · ‎01-10-2025

Any configuration article or Video for enabling two suggested two factor authentication ?

Rob Ingram · ‎01-10-2025

@SandeepNaga

https://www.youtube.com/watch?v=4oJXzySs0tM

https://duo.com/docs/ciscoise-radius

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215672-integrate-duo-saml-sso-with-anyconnect-s.html

SandeepNaga · ‎01-27-2025

Hello @Rob Ingram Hope you are doign well,

After we integrate Cisco Anyconnect with ISE, am using Certficate & Azure AD as authentication, can we add the Microsoft Authenticator as MFA ? if so, can you help me with the detailed configuration to acheive it. Thank you.

Rob Ingram · ‎01-27-2025

@SandeepNaga You configure Azure AD integration on the FTD (via FMC), so the client authenticates using certficate to the FTD and then the FTD authenticates to Azure AD via SAML https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221659-configure-ravpn-with-saml-authentication.html

If you want to integrate into ISE, you can setup authorise-only to the ISE servers.

SandeepNaga · ‎01-27-2025

MFA as Microsoft Authenticator?

Rob Ingram · ‎01-27-2025

@SandeepNaga MFA = Multi Factor Authentication.

SandeepNaga · ‎01-27-2025

Hello Rob, yes MFA is Multifactor Authentication, I mean like we wanted to add Microsoft Authenticator as a MFA for the anyconnect VPN that was integrated with Cisco ISE, (along with the current authentication is with Certificate and Azure AD is configured in Cisco ISE),

Rob Ingram · ‎01-27-2025

@SandeepNaga no I don't think you can use Microsoft Authenticator for AnyConnect VPN - I see no guides of information on that this is possible.

SandeepNaga · ‎01-10-2025

Thank you @Rob Ingram and Kudos to your expertise.