Hello All,

Components Used: Cisco FMC + FTD 1120, Cisco ISE, Azure SAML/SSO

We're moving from ASA + ISE + Duo 2FA to Azure SSO authentication. But, we still want to use ISE as the Authorization and Accounting server. As well as posture assessment.

Now, I've gotten the FTD and Azure pieces configured. When I use AnyConnect and connect to the VPN I get prompted for my Microsoft creds and I am able to successfully connect. On ISE however, it shows as authentication failed, which I;m sure is because the VPN Authentication policy still points to our internal Active Directory server.

This FTD/FMC setup is for a secondary location. We will eventually be moving all ASAs to FTD devices. So, my question is, do I need to create a 2nd Authentication policy, one that doesn't point at our internal AD servers? If so, what do I choose here?

I'm confused about what to do here since technically the Authentication is being done by Azure/Microsoft.

ISE:

FMC:

Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt