AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

CloudViking86
Here to help

AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?

Hello,

 

I know that you can use RADIUS-authentication and install the NPS-addon for Azure MFA to get MFA however I am wondering if this is also possible when using SAML-authentication to AzureAD and then scoping the Cisco AnyConnect Enterprise App in a Conditional Access policy (which requires MFA)?

I've tried getting it to work, i.e.:
* Created a policy that scopes both my user and the Cisco AnyConnect enterprise application

** The policy has:
Grant:
Require multi-factor authentication

 

When I check the "Insights & Reporting"-log and filter for that policy and the Cisco AnyConnect enterprise app I can see that the policy applies to my user (I can see my sign-in attempt) but my user is in the "Not applied"-category.

 

I tried creating a dedicated conditional access policy for AnyConnect (since the one I mentioned before has an additional parameter - session control) and with the dedicated policy my user was in the "Success" category.

Now I might be tired but I was expecting my user to be in the "User action required"-category (see below) since if the policy was enabled (it's currently in "report only"-mode) I would have needed to authenticate using my AzureMFA.

 

Conditional Access;
Success: Number of users where the selected polic(ies) granted access and the required controls were satisifed
Failure: Number of users where the selected polic(ies) denied access and the required controls were not satisfied
User action required: Number of users where the selected report-only policy applied but user action (e.g. MFA or Terms of Use) would be required if the policy were enabled.
Not applied: Number of users that are bypassing the selected polic(ies) because the sign-in did not match at least one of the assignments or conditions.

 

Now have I completely misunderstood "Require multi-factor authentication";
Does it actually prompt for MFA or does it simply require that the user has a MFA setup / is enrolled into MFA?
If its the former then I don't understand how my login can be "Sucess" since it should have been "User action required" IF it isn't like this:
Having Azure MFA on various services I might have already within some magic hidden timeframe  satisfied that requirement i.e. I have authenticated with another service which requires Azure MFA.
If it is the latter then I get that my login is a "Success" since my account is enrolled into MFA.

 

Microsofts documentation about the "grant" - "Require multi-factor authentication";
Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs

Sorry for the long post!

Best Regards - Karl, Sweden

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

This does work.  I have done and used it.

 

Personally, I think Azure Conditional Access is a pig when you have more than a handful of policies.  It is difficult to see how policies overlap, and I have personally introduced security weaknesses when using Conditional Access by failing to think about how groups of policies interact with each other.  It is easy to focus on the one new policy you are trying to create or edit, and forget how it changes the operation of existing policies.

 

Personally, I use Cisco Duo for most customers now.  I consider it more secure because it is less prone to security vulnerabilities caused by inadvertent human error.

 

 

"Require multi-factor authentication" requires an MFA prompt if you are outside any configured session limit configured in any other policy that is applied to the user.  For example, if you have a session limited configured for 60 minutes, and the user logged into Office 365 10 minutes ago, they will not get an MFA prompt for AnyConnect (or any other SAML application).

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-... 

 

I think the session limit has a minimum configured limit of 60 minutes that you can not reduce.  I could be wrong on this one.

 

I think it is impossible to force Azure to do an MFA prompt without any other strings attached using SAML.

 

I have had customers with Azure Conditional Access say they want an MFA prompt on every VPN login when using SAML - and I keep telling them this is not possible.  It's an Azure AD restriction.  If they want that they need to use another solution like Cisco Duo.

 

 

And the kicker is - Cisco Duo MFA is cheaper than Azure AD Premium 1.

 

Once you use something like Cisco Duo, you never want to go back to conditional access.  It's yucky.

Thank you (once again) for a helpful reply.

 

I really don't understand why my user seems to fulfill the MFA-requirement, checking the Conditional Access Sign-In Logs and searching for the correlation ID which I got when looking into my "Success"-event;

 

 

Activity Details: Sign-ins > Basic Info
Additional Details	
MFA requirement satisfied by claim in the token

Activity Details: Sign-ins > Conditional Access
Policy Name: Not applicable

Activity Details: Sign-ins > Report Only
Enforce MFA (Cisco AnyConnect)
Require multi-factor authentication
Session Control: <blank>
Report-only: Success

 

 

So I get that if I had a session control on that conditional access policy it could have been satisified when logging into other O365-services but in this case that isn't configured and no other conditional access policies are applied. AzureMFA is also included in our user's licenses so we don't pay anything extra to use AzureMFA since the user's have a license that cover that for other infrastructure needs (Intune etc.).

 

Weird.

 

The thing is that we basically don't want another MFA-service.
It makes it harder for the end-users to use another app then Microsoft Authenticator and its another thing to administer.

 

We could go the NPS-route and install the AzureMFA-addon but that would introduce the following problems:
* The AzureMFA NPS-addon forces ALL RADIUS-clients to use MFA

* RADIUS-servers are shared between IPSec-VPN and AnyConnect VPN meaning that I can't route AnyConnect to specific NPS / RADIUS-servers

david35957
Conversationalist

I agree with Phillip. We use DUO mobile (first ten users are free) We pay 3.00 a user monthly, they use the built in Windows 10 client. You can have it authenticate against your AD and use MFA. DUO has multiple group policies you can set up. I like DUO for the log report, when a user says I cannot get on the VPN, I go to DUO log and see they never accepted the DUO push. 

Thanks for your reply.

As I wrote in a reply to Phillip we already have AzureMFA included and don't pay any additional cost to use it and it makes administration easier and easier for the end-user.

Thanks for the suggestion though!

Note that Azure MFA is included with all plans, but Conditional Access is not.  If you are not paying for a plan with Conditional Access then it may be that the policies are being ignored.

 

This link shows the licence requirements to be able to use Conditional Access.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview#license-requirem... 

 

Colin3
Conversationalist

Hi @PhilipDAth and All,

 

I want to setup VPN C2S with Meraki MX, SAML Azure and Duo MFA, is there any document that guides how to setup MFA Duo?

 

And we will leverage on authentication of users Azure AD and once users login in, it will prompt to Duo for MFA.

I have Azure AD Free edition that comes with M365 basic are supported? 

My understanding is correct?

Thanks in advance.

PhilipDAth
Kind of a big deal
Kind of a big deal

Colin3
Conversationalist

Great, thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels