Primary and secondary authentication questions for AnyConnect for FTD

ABaker94985 · ‎11-24-2021

We're replacing our old ASA firewall that was running SSO for Azure SAML and also MFA with Azure. This will be a standalone FTD managed by FDM. The document here states that SSO using SAML 2.0 is unsupported for AnyConnect. It appears LDAP is supported for primary authentication, but I don't see in the configuration where you can specify users in an AD group, e.g. VPN_USERS, and only permit those in the group to access the client VPN. Is this possible?

I've setup secondary authentication using Duo, and I know that works well for using one of the authenticators or sending out a text code. However, the company wants to use RADIUS for secondary authentication, which is tied to AD. It appears that if we use this, they will have to enter credentials a second time. Is there a way to use a RADIUS server this way for only MFA?

Thank you.

Marvin Rhoads · ‎11-26-2021

You can use LDAP with an attribute-map for authorization as a means of restricting VPN access to users in a certain AD group. If you are running 6.6 the attribute-map requires FlexConfig. In Firepower 7.0 it's supported directly in the GUI and works quite well.

I'm confused if the company already has Azure AD with Microsoft's MFA solution (Authenticator), why do they want to add RADIUS? That would seem to be 3 factor authentication.