Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
4
Replies

Authenticate w/ Azure AD (MFA) but Authorize with ISE w/ different AD

DannyDulin
Level 1
Level 1

‎03-26-2024 01:57 PM

Good day everyone.

We are conducting a proof of concept with Azure MFA providing second factor authentication for RAVPN.

Our parent agency owns the Azure AD that includes a user account for all our users in our agency.

However, we own and manage an in-house Active Directory domain which also has a separate AD user account for all our users in our agency.

We want to leverage our parent agency's Azure MFA authenticating with the user account in that domain, but we also want to leverage ISE (integrated with our in-house AD) to authorize our activities in our environment.

Is it possible to authenticate with one domain, but authorize with another domain?

BTW, I am by no means knowledgeable with all the terminology for Active Directory so bear with me if I'm utilizing terms incorrectly.

 

0 Helpful
4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

‎03-26-2024 03:57 PM

To use Entra MFA for the RAVPN flow, the Authentication + MFA flow would have to be done by the VPN headend itself using SAML. The VPN headend would be configured to use ISE for Authorization Only.

See this post for an example configuration on the Cisco ASA:
https://community.cisco.com/t5/network-access-control/ise-3-2-azure-ad-and-secure-client-ra-vpn/td-p/4892697

You could perform a group membership check against your traditional Active Directory as part of the Authorization, but the user account used for Authentication on the VPN headend (and sent to ISE for AuthZ) would have to exist in your AD as well.

0 Helpful

DannyDulin
Level 1
Level 1
In response to Greg Gibbs

‎03-28-2024 05:37 AM

Greg thanks for your response.

I think your statement "but the user account used for Authentication on the VPN headend (and sent to ISE for AuthZ) would have to exist in your AD as well" is really the answer I was looking for.

If I understand correctly, if the account doesn't, then we'd have to integrate ISE with Azure and leverage groups created there for the ISE authorization correct?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to DannyDulin

‎04-01-2024 04:17 PM

Correct. If you want to authorize the VPN user session (based on group membership, etc) and the User account only exists in Entra ID, you would need to use the REST ID capability in ISE to perform the AuthZ check against Entra ID. The authZ policy would be similar to this example, but without any certificate interaction (since ISE never sees a certificate for the VPN session).
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

 

0 Helpful

Pulkit Mittal
Level 1
Level 1

‎03-28-2024 05:42 AM - edited ‎03-28-2024 05:46 AM

I am just trying to understand that why would we want to do that? Just use azure AD for both?

0 Helpful
Customers Also Viewed These Support Documents