Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5612
Views
0
Helpful
19
Replies

MFA for ASA using Azure with SAML - what should I put in identifier and reply URL?

dzevel518380
Level 1
Level 1

‎07-17-2020 02:46 PM

Hi all,

 

I struggle to find information for how to configure Cisco ASA with Azure MFA. to be more precise, there are only two pieces that I miss.

What should I put in the Identifier and reply URL? I thought it's the existing / new tunnel-group from the ASA, but I guess it's a URL that I need to provide.

Can someone clarify it for me?

 

Lets say the new tunnel-group on the ASA will be called "anyconnect-tg" and the hostname of the firewall is "myasa5500.com"

 

Thanks in advance.

 

Screen-Shot-2020-04-20-at-23.07.40.png

Labels:
0 Helpful
19 Replies 19

dzevel518380
Level 1
Level 1
In response to Marvin Rhoads

‎07-30-2020 01:40 AM

Sorry, I couldn't take the output

 

 

group-policy ANYCONNECT-POLICY internal
group-policy ANYCONNECT-POLICY attributes
 banner none
 wins-server none
 dns-server value 10.50.0.10 10.50.0.11
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1
 vpn-filter none
 ipv6-vpn-filter none
 vpn-tunnel-protocol ssl-client ssl-clientless
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 ipv6-split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value mywebsite.com
 split-dns value mywebsite.com myweb mywebsite.com
 split-tunnel-all-dns disable
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 client-bypass-protocol disable
 gateway-fqdn none
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 msie-proxy lockdown enable
 vlan none
 address-pools none
 ipv6-address-pools none
 smartcard-removal-disconnect enable
 scep-forwarding-url none
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage none
  html-content-filter none
  port-forward disable 
  http-proxy disable
  anyconnect ssl dtls enable
  anyconnect mtu 1406
  anyconnect firewall-rule client-interface private none
  anyconnect firewall-rule client-interface public none
  anyconnect keep-installer installed
  anyconnect ssl keepalive 20
  anyconnect ssl rekey time none
  anyconnect ssl rekey method none
  anyconnect dpd-interval client 30
  anyconnect dpd-interval gateway 30
  anyconnect ssl compression none
  anyconnect dtls compression none
  anyconnect modules none
  anyconnect profiles none
  anyconnect ask none
  customization none
  keep-alive-ignore 4
  http-comp gzip
  download-max-size 2147483647
  upload-max-size 2147483647
  post-max-size 2147483647
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  smart-tunnel auto-signon disable
  anyconnect ssl df-bit-ignore disable
  anyconnect routing-filtering-ignore disable
  smart-tunnel tunnel-policy tunnelall
  always-on-vpn profile-setting
0 Helpful

dzevel518380
Level 1
Level 1
In response to dzevel518380

‎08-03-2020 04:48 AM

any ideas?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dzevel518380

‎08-04-2020 05:36 AM

In your tunnel-group general attributes you have:

tunnel-group anyconnect general-attributes
<snip>
 authentication-server-group LOCAL

but the webvpn attributes have:

tunnel-group anyconnect webvpn-attributes
<snip>
 authentication saml

 Why are they different? The LOCAL one shoudn't be needed at all.

0 Helpful

dzevel518380
Level 1
Level 1
In response to Marvin Rhoads

‎08-04-2020 09:41 AM

before the change it was LDAP LOCAL

once I removed LDAP I only have left LOCAL which cannot remove

 

how it should be configured if I want SAML for authentication but LDAP to indicate the group-policy - is this is even possible?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dzevel518380

‎08-04-2020 09:55 AM - edited ‎08-04-2020 10:00 AM

It should be possible to have authentication-server be saml and authorization-server be LDAP (AD).

Something like what's described here:

https://packetswitch.co.uk/cisco-anyconnect-with-azure-ad/

The example talks about MFA but that's just an attribute of the SAML authentication in their case.

0 Helpful
Customers Also Viewed These Support Documents