issues with anyconnect integration with on-prem Windows MFA

nareh84 · ‎04-01-2020

hi,

I have successfully integrated with on-prem window MFA. but when my mobile is in power save mode, i get notification on my mobile, after i enter mobile pin, i dont see any push notification and after some time i see message on anyconnect "connection attempt failed . please try again later". after this message i can see push notification on my mobile, but its too late to approve.

when the mobile is not in power save mode, then all is good. i can see push notification and once approve, my anyconnect vpn connect without any issue.

asa version: Version 9.6(4)30

anyconnect version: 4.7.00136

I have integrated with Window MFA using following link

https://community.cisco.com/t5/security-documents/multi-factor-authentication-with-ise-pdf/ta-p/3651422?attachment-id=131461

Francesco Molino · ‎04-01-2020

Hi

Have you tried incrementing your radius timeout of your ASA config to give you more time while unlocking your phone and doing push?

Once you unlocked your phone, did you go into your notifications to see if the push notification is there? Maybe you can also configure your notification to stay on your lock screen so you can click on it, unlock your phone and it will bring you into the app right away. This is the way it works with iPhone and Android using Duo or any other MFA services. Never used Windows MFA, sorry I don't know how the app works.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nareh84 · ‎04-01-2020

hi

i cant change timeout on ise (max is 60) which is integrated with MFA, i changed time on ASA (pointing to ise) but result is the same.

when there is notification, i can see it on my lock screen and can open the authenticator app, but nothing is there (no push notfication) and then i have to wait till connection is timeout and then try new connection again while my app is already opened, after then i am able to see push notification.

Francesco Molino · ‎04-02-2020

So the issue is more related to your Microsoft app.
Is it the Microsoft authenticator app you're using?
There's an option in the menu called check notification, have you looked at it?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nareh84 · ‎04-06-2020

hi,

Thanks for the reply.

yes its Microsoft app, when i select recheck authentication, it shows the push notification.

currently ise is working on a demo license and integrated with window mfa. anyconnect is using ise for radius authentication and once successfully authenticated, it applied DACL to the user connection.

I am not sure what license ( per device or per concurrent anyconnect user connection) is required for ise to keep authenticating anyconnect user after eval license expiry. do i need base license only?

Francesco Molino · ‎04-06-2020

For anyconnect vpn only, you can buy vpn only licenses (lifetime licenses) or plus licenses (renewal licenses).
With plus licenses you have more features and not only vpn (check anyconnect ordering guide document on Cisco website).
Even if plus are renewal licenses, they are cheaper than vpn only lifetime licenses. If i recall, you can make the calculation yourself by checking the price), and depending on number of licenses you purchase, it takes several years (based on a last calculation I made for a customer) to reach the price of lifetime licenses.

I would recommend going with plus licenses.
Licenses are on per user basis.

Anyconnect ordering guide: https://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question