so an update....we got AzureMFA working for VPN users through the ASA using SAML. Noticed this week that since we didn't change some of the previous ISE related settings for RADIUS that ISE was showing multiple failed logins for every VPN connection, and then we see that the ISE policies are not being applied correctly. So now we are having to investigate the ISE policy issue. But Azure MFA def works using SAML to Azure
What you are referring to is split-AAA. ASA sends for MFA Authentication to the NPS server and, if AuthC passes, then sends to ISE for Authorization piece. I have been using split-AAA for last 3-4 years however more recently started running into random issues on some client machines where they kept seeing an "internal error" message pop-up once they successfully authenticated. Went back and forth with my vendor and TAC for months. We tried various combinations of devices, software versions etc. In the end, one of the TAC senior techs found there is a bug and a compatibility issue with what I was trying to do. Unfortunately I had to let go of my dream of using ISE for VPN client Authorization if I also wanted to use Azure MFA authentication. Cisco wants you to ONLY use their solution i.e. Duo and ISE which apparently work much better together.
Just thought I post this here incase someone finds it useful. If you need more information and the actual text from TAC's findings, I can post that as well.
Thank you for your posts. I finally found somebody attempting the same thing I'm trying to do which is split-AAA between Azure MFA and ISE.
We currently are using Duo for 1st and 2nd Factor Authentication and ISE for Authorization. It works very well. Duo is pretty simple and it is set it and forget it. However, we have the option to use Azure MFA for free (well somebody is paying for it, but not our Agency). By the sound of it, we can't do that since Azure and ISE don't play nice.
So...if you're using Azure for AuthC what will you use for AuthZ?
@Ricky Sandhu can you post the TAC findings on this?
I actually ended up using ISE for both AuthC and AuthZ. On ISE however, I setup RADIUS authentication against Azure and then AuthZ would be taken care of via ISE as normal. This has worked extremely well.
However, now there is a requirement to move to SAML based authentication from Azure and that's something we cannot setup on ISE. So I have to now revert back to pointing the ASAs to SAML and probably split AuthZ back to ISE. If I run into the issue mentioned in the previous post again, I might have to figure something else out so I can atleast log all VPN clients in ISE.
Thanks for the feedback. We must use SAML for with Azure for MFA. We'll point our FTD to SAML and split AuthZ back to ISE, but here's the kicker...I don't think there's a way to use Azure groups in your AuthZ policies in ISE. If there is, I have not yet found documentation on it.
So, the question still remains, if we use Azure MFA for AuthC and split AuthZ back to ISE, what do we use as matching criteria in our AuthZ policies on ISE?
In my case, after AuthC succeeds, ASA sends the username to ISE and then from ISE I lookup that username in AD. If the user belongs to a particular security group in AD, ISE sends back a permit dACL to ASA. If not it will send a deny dACL.
I did have to ensure I don't strip the realm from the username in the ASA when sending it to ISE for authentication. Without this, ASA was only sending firstname.lastname to ISE and it was failing. Now it sends First.Last@domain.com and ISE can easily find a matching account based on that.
I believe we have on prem which also syncs with Azure AD. I am not 100% sure as it's a different team that manages AD. Yes @domain.com refers to our AD domain.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
