Showing results for 
Search instead for 
Did you mean: 

seperate Azure MFA policies for SSL VPN and AnyConnect

philip moore

Dear Community

We are currently using Azure Cloud MFA (without NPS) to authenticate clients for SSL VPN. Its working great, and much better than paying for & maintaining RSA SecurID (token, oda, RSA-AA). Would highly recommend it for any current O365 customer as is essentially free, included with your MS subscription,

We would like to enable the same service to replace Anyconnect authentication. This service is currently using radius with RSA Tokens, with various group policies configured on ASA for different sets of customers. The Anyconnect group policy and SSL VPN is on the same ASA cluster.

Question: is it possible to have separate policies for SSL VPN and Anyconnect clients? The idea would be to have different groups of users defined on Azure AD as follows:

- AD Group A for SSL VPN

- AD Group B for Anyconnect client tunnel group X

- AD Group C for Anyconnect client tunnel group Y

It it possible to achieve this separation?

I got confused as you can only define a single SAML IDP under webvpn.

Has anyone tried something similar? and could share tips on how to configure?




0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers