so an update....we got AzureMFA working for VPN users through the ASA using SAML. Noticed this week that since we didn't change some of the previous ISE related settings for RADIUS that ISE was showing multiple failed logins for every VPN connection, and then we see that the ISE policies are not being applied correctly. So now we are having to investigate the ISE policy issue. But Azure MFA def works using SAML to Azure
What you are referring to is split-AAA. ASA sends for MFA Authentication to the NPS server and, if AuthC passes, then sends to ISE for Authorization piece. I have been using split-AAA for last 3-4 years however more recently started running into random issues on some client machines where they kept seeing an "internal error" message pop-up once they successfully authenticated. Went back and forth with my vendor and TAC for months. We tried various combinations of devices, software versions etc. In the end, one of the TAC senior techs found there is a bug and a compatibility issue with what I was trying to do. Unfortunately I had to let go of my dream of using ISE for VPN client Authorization if I also wanted to use Azure MFA authentication. Cisco wants you to ONLY use their solution i.e. Duo and ISE which apparently work much better together.
Just thought I post this here incase someone finds it useful. If you need more information and the actual text from TAC's findings, I can post that as well.
Thank you for your posts. I finally found somebody attempting the same thing I'm trying to do which is split-AAA between Azure MFA and ISE.
We currently are using Duo for 1st and 2nd Factor Authentication and ISE for Authorization. It works very well. Duo is pretty simple and it is set it and forget it. However, we have the option to use Azure MFA for free (well somebody is paying for it, but not our Agency). By the sound of it, we can't do that since Azure and ISE don't play nice.
So...if you're using Azure for AuthC what will you use for AuthZ?
@Ricky Sandhu can you post the TAC findings on this?
I actually ended up using ISE for both AuthC and AuthZ. On ISE however, I setup RADIUS authentication against Azure and then AuthZ would be taken care of via ISE as normal. This has worked extremely well.
However, now there is a requirement to move to SAML based authentication from Azure and that's something we cannot setup on ISE. So I have to now revert back to pointing the ASAs to SAML and probably split AuthZ back to ISE. If I run into the issue mentioned in the previous post again, I might have to figure something else out so I can atleast log all VPN clients in ISE.
Thanks for the feedback. We must use SAML for with Azure for MFA. We'll point our FTD to SAML and split AuthZ back to ISE, but here's the kicker...I don't think there's a way to use Azure groups in your AuthZ policies in ISE. If there is, I have not yet found documentation on it.
So, the question still remains, if we use Azure MFA for AuthC and split AuthZ back to ISE, what do we use as matching criteria in our AuthZ policies on ISE?
In my case, after AuthC succeeds, ASA sends the username to ISE and then from ISE I lookup that username in AD. If the user belongs to a particular security group in AD, ISE sends back a permit dACL to ASA. If not it will send a deny dACL.
I did have to ensure I don't strip the realm from the username in the ASA when sending it to ISE for authentication. Without this, ASA was only sending firstname.lastname to ISE and it was failing. Now it sends First.Last@domain.com and ISE can easily find a matching account based on that.
I believe we have on prem which also syncs with Azure AD. I am not 100% sure as it's a different team that manages AD. Yes @domain.com refers to our AD domain.
"I did have to ensure I don't strip the realm from the username in the ASA when sending it to ISE for authentication. Without this, ASA was only sending firstname.lastname to ISE and it was failing. Now it sends First.Last@domain.com and ISE can easily find a matching account based on that."
How did you stop ASA from stripping the realm from the username when sending to ISE?
Under Configuration > Remote Access VPN > Network (client) access > Secure Client Connection Profiles, edit one of the tunnel groups. Then under Advanced, select General and it should be the 2nd check box.
I found the answer I was looking for. First let me refresh your memory our use case.
Azure MFA is linked with an AD that belongs to our parent agency. Our agency has AD accounts in our parent agency's AD because we have multiple apps that we use there. There is no relationship between our parent and our AD. The only likeness between the two is our email address is the "Samaccount" and "emailaddress" attributes in the parent agency AD but not our AD. In our AD email address is the "emailaddress" and "mail" attribute.
Our requirement is to use Azure MFA for 1st and 2nd Authentication, but to use ISE (integrated with our AD) for Authorization.
In order to use our agency AD groups in ISE, we needed some way to configure the SAML claim from Azure MFA to send our email address as the "NameID" attribute.
The Azure administrator simply formatted (or mapped) the NameID as "emailaddress".
When the FW (FTD) receives the SAML claim with NameID as "emailaddress", the FTD sends the email address as the username in the RADIUS request to ISE. ISE looks up the username in our AD and identifies the usergroup membership. Then you can use the group membership in any policy set in ISE.
Very interesting and I am glad you found the answer. So just for my own clarification, you are doing two Authentications (i.e. SAML which is integrated with Azure MFA + ISE). ISE also does Authorization as it normally would.
Or are you simply using ISE for Authorization ONLY?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
