Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1940
Views
15
Helpful
6
Replies

Cisco AnyConnect - M365 authentication possibilities

Go to solution
Amen
Level 1
Level 1

‎05-16-2022 08:28 AM

Would like to request information on the integration possibilities of AnyConnect with Microsoft 365 user authentication.

So far it looks like it is possible via SAML, just want to make sure we're not missing anything.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎05-16-2022 09:04 AM

AnyConnect NAM client 802.1X authentication to ISE?  AnyConnect VPN to ASA/FTD?  AzureAD/ADFS?  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2022 08:49 AM

The AnyConnect VPN client can authenticate to Azure AD via SAML. You can also incorporate Microsoft Authenticator MFA in this scenario.

You can also run a hybrid solution using Microsoft NPS on premises with the Azure plug-in and use Microsoft MFA that way.

Thirdly you could use Duo SSO integrated with Azure AD.

Go to solution
Amen
Level 1
Level 1
In response to Marvin Rhoads

‎05-18-2022 01:02 AM

I'm also just learning about the M365/AzureAD (AAD) capabilities, but hopefully, we will find something together.

 

In our PoC environment, we have proven that AnyConnect with the external browser could authenticate straight away against AAD using SAML, but this is where the next challenge comes: if at all possible, we would like to use a single sign-on experience on the AzureAD joined devices, namely we would like skip the re-authentication (username+password) of the user and just prompt for multi-factor authentication before the user would be allowed to bring up the VPN.

 

Cisco provides the AnyConnect app in AzureAD, I wonder if there is any associated documentation on the topic, particularly on the SSO side.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Amen

‎05-18-2022 11:57 AM

Form memory, when you configure the SAML iDP from FMC there is an option to check the box to not require reauthentication. HAve you tried that?

Go to solution
Amen
Level 1
Level 1
In response to Marvin Rhoads

‎05-20-2022 12:22 AM

From SAML authentication's perspective Azure AD is an Identity Provider (IdP), just like ADFS, DUO, etc.

 

What we want to do is the best possible integration between AnyConnect and Azure AD, where the user can establish the VPN connection with the least amount of interactions, still with the best security.

 

We're trying to achieve that AnyConnect authenticates the user based on the Windows session against AzureAD (so there's no new username and password requested after the user logged in Windows) and gets connected after a single MFA approval.

 

MFA is still requested to make sure that if someone tries to connect from a stolen laptop even with a leaked username/password, connection to corporate resources would not be possible.

 

any Ideas?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents