Solved: Re: SAML Authentication Configuration on FTD managed via FMC

pavan2 · ‎03-31-2021

Dear community,

We are in plan to Integrate FTD Anyconnect with Azure MFA. Are there any prerequisites in terms of the FTD version and anyconnect version that we should be upgrading before integrating anyconnect with Azure MFA and also are there any other resources in addition to below document available on the forum.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216268-configure-anyconnect-with-saml-authentic.html?referring_site=RE&pos=2&page=https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configur...

Rob Ingram · ‎03-31-2021

Hi @pavan2

SAML was only introduced in version 6.7, so you'll need to be running FMC and FTD on version 6.7. Follow that guide you referenced and you should be fine. Use AnyConnect version 4.9

This video my provide additional help, it describes how to setup FTD using Azure SAML.

https://www.youtube.com/watch?v=wgttyx7UFMI

View solution in original post

Rob Ingram · ‎03-31-2021

It's the SAML that required specific version of FTD version 6.7 not the MFA. As it's SAML that is doing the communication between the FTD and Azure.

View solution in original post

Rob Ingram · ‎03-31-2021

Hi @pavan2

SAML was only introduced in version 6.7, so you'll need to be running FMC and FTD on version 6.7. Follow that guide you referenced and you should be fine. Use AnyConnect version 4.9

This video my provide additional help, it describes how to setup FTD using Azure SAML.

https://www.youtube.com/watch?v=wgttyx7UFMI

pavan2 · ‎03-31-2021

Thanks so much for your insights on this Rob!

pavan2 · ‎03-31-2021

Thank you Rob!

Not sure if my below query is valid.

Is there any difference between Anyconnect VPN with Azure MFA and Anyconnect VPN with SAML. is there any difference between Azure MFA and Azure SAML

Marvin Rhoads · ‎04-01-2021

Azure MFA is a feature added on to Azure authentications.

Your FTD will authenticate users with Azure using SAML. If your Azure-authenticated users have MFA setup that will happen in the background as part of their Azure authentication and the FTD doesn't see that part at all.

The same idea applies if you are using NPS on premises with the Azure MFA connector. FTD talks to NPS (as a RADIUS server) and NPS handles all of the MFA bits with Azure in the backend.

Rob Ingram · ‎03-31-2021

@pavan2

I've never used Azure, but I think they are different. SAML is used to exchange the authentication information between the FTD and Azure. And MFA is the two-factor authentication, something you have (e.g. a phone) and something you know (e.g. password).

pavan2 · ‎03-31-2021

Thank you Rob

Does integrating with MFA aswell has any prerequisites with the version of the FTD and anyconnect code

Rob Ingram · ‎03-31-2021

It's the SAML that required specific version of FTD version 6.7 not the MFA. As it's SAML that is doing the communication between the FTD and Azure.