Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
3
Helpful
4
Replies

ISE DEPLOYMENT - HELP

Go to solution
israhass
Cisco Employee
Cisco Employee

‎04-25-2018 03:26 AM

Could anyone help me with this query we had from a customer please?



As you know, we have a massive ISE deployment running dot1x authentication for NAC (in deployment globally), our WiFi and remote access with posture compliance. A request has come through to enable MFA on top of the Cisco AnyConnect and ideally we’d like to use Azure AD as this is now our third party authentication solution of choice. Do you have a suitable engineering resource that may be able to run us through the theory of the ISE/SAML integration and what the user can expect to be the result/login process in their AnyConnect client? There are a few documents on this integration but none officially from Cisco – mostly other non-Cisco engineers who have worked on this – so not an ideal guide!

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-25-2018 07:56 AM

Azure MFA is interacted with via RADIUS proxy that communicates to Azure.  The RADIUS proxy is part of their solution.  To ISE, Azure MFA is just an external RADIUS server that you setup.  How the MFA actually works depends on how you setup Azure MFA.  It could be text notifications, push to an app installed on the mobile device, etc.

For the current customer that I am working on, we log into VPN with our AD credentials then we get a text on our phone from Azure MFA.  We have to type the code back into the text message to get accepted onto VPN. 

You will need to increase your RADIUS timeouts to allow for the MFA transaction.  Use something like 60-90 seconds for the timeout.

So the authentication of the VPN is handed off completely to the Azure MFA RADIUS server.  It does the AD checks and the MFA process.  All ISE is looking for is a accept/reject coming back.  You can do AD checks in the authorization phase if you want, but the authentication phase is fully delegated to the Azure MFA RADIUS server.

View solution in original post

4 Replies 4

Go to solution
paul
Level 10
Level 10

‎04-25-2018 07:56 AM

Azure MFA is interacted with via RADIUS proxy that communicates to Azure.  The RADIUS proxy is part of their solution.  To ISE, Azure MFA is just an external RADIUS server that you setup.  How the MFA actually works depends on how you setup Azure MFA.  It could be text notifications, push to an app installed on the mobile device, etc.

For the current customer that I am working on, we log into VPN with our AD credentials then we get a text on our phone from Azure MFA.  We have to type the code back into the text message to get accepted onto VPN. 

You will need to increase your RADIUS timeouts to allow for the MFA transaction.  Use something like 60-90 seconds for the timeout.

So the authentication of the VPN is handed off completely to the Azure MFA RADIUS server.  It does the AD checks and the MFA process.  All ISE is looking for is a accept/reject coming back.  You can do AD checks in the authorization phase if you want, but the authentication phase is fully delegated to the Azure MFA RADIUS server.

Go to solution
israhass
Cisco Employee
Cisco Employee
In response to paul

‎04-26-2018 01:05 AM

Hi Paul,

could we have a chat via email please as my AM would like to ask you a few questions regarding your answer.

email: israhass@cisco.com

Thanks,

Israr

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-25-2018 09:08 AM

I am not sure what you’re asking here. Please consider this maybe a question for the anyconnect community and not ISE as well.

ISE SAML SSO support is explained as the following:

A user connects to a web portal such as guest, sponsor, my devices on ISE and is giving a SAML SSO token for their IDP so they can then login to another portal (think employee webmail or company dashboard)

This also works in reverse, if you access company portal then SSO to ISE portals (except admin) will work.

For more information see - SAMLv2 Identity Provider as an External Identity Source

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html

ISE supported SAML SSO integration examples

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Web_Portal_access_via_SAML_SSO

Are you looking for something else?

Customers Also Viewed These Support Documents