Anyconnect auth against ISE with Azure MFA

Solved
Osberg
Here to help

Anyconnect auth against ISE with Azure MFA

Hi all,

 

So today we have a Cisco ASA solution running that is EOL and now we need to migrate to our new Meraki Anyconnect solution. 

 

Today on our ASA solution we are running Radius against ISE that connect to Azure MFA so you get the 2 factor to run, and that works perfect ISE has some prebuild in function (Cisco-VPN3000/ASA features) but now comes the issue for me.

 

So I can make a policy in ISE that allows my user to login with user auth, without MFA but that is not enough, so how to create a policy that trigger this condition for my MFA. The condition for Cisco-VPN3000 is not working for Meraki, so what has people done here to get this work? 

 

Looking forward to hear what people has done here for getting 2 factor to work through ISE with MFA. 

 

Frank

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Unless you are using ISE for other things - you probably don't need it.

 

Most people SAML authentication directly against things like Azure AD (you can SAML authenticate against other MFA providers).
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Maybe It can help you:

 

https://community.cisco.com/t5/security-knowledge-base/notes-on-azure-ad-as-saml-idp/ta-p/3644255

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for the links, but not really what I am looking for here.

 

It might be that I need to redo something here to get MFA for Azure to work.

 

The flow today is the following:

 

ASA - Cisco ISE - Azure MFA 

- The radius request is sent to my Cisco ISE, that handles the request to our Azure MFA setup. 

The condition here in ISE and my policy looks like this: 

Osberg_0-1663762281421.png

Here use the Cisco-VPN3000/ASA/PIX7x-Tunnel-Group that the ASA sends to ISE to trig the Azure MFA function, but what is Meraki sending?? 

 

I need to trig the same function inside ISE here. but what is Meraki using here?? 

 

So it might be more the ISE condition I need help with, because Meraki is very simple here on what you can setup in the dashboard. 🙂 

 

So is hoping somebody else has setup Anyconnect with ISE and some MFA. 😄 

 

Frank

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
PhilipDAth
Kind of a big deal
Kind of a big deal

Unless you are using ISE for other things - you probably don't need it.

 

Most people SAML authentication directly against things like Azure AD (you can SAML authenticate against other MFA providers).
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

Hi Philip 

 

Year I use ISE for a lot of things, but looking more into SAML it might be a idea to use Azure AD..... What option does this give you here? Can you utilize all the feature that there are in Azure AD like, postering, compliance check etc.?

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
GIdenJoe
Kind of a big deal
Kind of a big deal

Hmm, The tunnel-group thing is a specific configuration construct in ASA appliances.

You use that construct in an ASA to differentiate between authentication methods/aaa servers.

 

I don't think you can use this distinction on Meraki since you can only select 1 authentication method so you will have to change up your matching criteria.

The more difficult thing is to have a distinction between internal employees and external contractors.  You'll need to have them inside your AD domain under a specific group.

Get notified when there are additional replies to this discussion.