Integrate Azure MFA with Cisco AnyConnect VPN

If you are looking for a MFA solution for Cisco AnyConnect then there is a good chance that you have heard of Duo and Azure AD. In this blog post I will guide you through the configuration steps required to set up Azure MFA with Cisco AnyConnect. Having Cisco ISE is optional for this to work.

Scenario

  • You want to authenticate the AnyConnect users against Azure SSO/SAML to enforce MFA.
  • Authorization should happen against Cisco ISE to provide role-based access using SGT tags << optional

Assumptions

  • You already have a working ASA AnyConnect setup
  • Authentication and authorization works with ISE
  • Users and groups are already synced with Azure AD
  • Cisco ISE is configured with Authorization policies for each AD group.
  • ISE advertises SGT mappings to ASA via SXP
  • ACLs are configured on ASA with SGs
  • ASA running 9.8 or later code, and AnyConnect clients will be 4.6+

To configure the integration of Cisco AnyConnect into Azure AD, you need to add Cisco AnyConnect from the gallery to your list of managed SaaS apps.

  • Sign in to the Azure portal
  • On the left navigation pane, select the Azure Active Directory service.
  • Navigate to Enterprise Applications and then select All Applications.
  • Select New Application
  • type Cisco AnyConnect in the search box.
  • Select Cisco AnyConnect from results

Configure Azure AD SSO

Configure Azure AD SSO

  • Go to AnyConnect application and then select Set up single sign on

  • Set up single sign-on with SAML page, enter the values for the following fields:

In the Identifier text box, type Cisco ASA RA VPN "Tunnel group" name

In the Reply URL text box, type Cisco ASA RA VPN "Tunnel group" name

  • On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate file and save it on your computer.

  • On the Set up Cisco AnyConnect section, copy all three URLs.

Cisco ASA configuration

Assume the tunnel-group name is "company-vpn" , VPN url is "vpn.mycompany.com" and the trust-point of the identity certificate is "my-public-cert"

VPN Identity Certificate - Usually a wild card certificate for *.mycompany.com that you buy from a CA.

Create a trust-point and import the SAML certificate you downloaded in the previous step.

 crypto ca trustpoint Azure-saml
   revocation-check none
   no id-usage
   no ca-check
   enrollment terminal
 crypto ca authenticate Azure-saml
 -----BEGIN CERTIFICATE-----
 
 ***certificate goes here***
 
 -----END CERTIFICATE-----
 quit

Configure SAML IdP

webvpn
 enable OUTSIDE
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux64-4.5.04029-webdeploy-k9.pkg 5
 anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
 
 saml idp https://sts.windows.net/fgg54-4fdd-ac56-3ad156472a14/
  url sign-in https://login.microsoftonline.com/3d-ac563/saml2
  url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  base-url https://vpn.mycompany.com
  trustpoint idp Azure-saml
  trustpoint sp my-public-cert
  no signature
  force re-authentication
For Service Provider (SP) certificate you can  use the identity or wild card certificate associated with your VPN url (vpn.mycompany.com) This certificate is usually issued by public CA.

Apply SAML authentication to the VPN tunnel group

tunnel-group mycompany-vpn webvpn-attributes
 authentication saml
 group-alias mycompany-vpn enable
 saml identity-provider https://sts.windows.net/fgg54-4fdd-ac56-3ad156472a14/
Now users should be able to login to AnyConnect via SSO. But we want to make sure that ISE is performing the Authorization.

To achieve this we need to use the authorization feature on the ASA.  This will enable ASA to authenticate users against Azure AD and authorize against ISE.

When the authorization request comes to ISE, it tries to process a full authentication + authorization.  There is no password (because Azure handled it already) in the packet so the authentication fails.

To get around the issue we need to  set the ISE authentication source to Internal Users, and told ISE to continue on both Auth fail and user not found.  This allows ISE to process  just authorization.

ASA configuration

tunnel-group mycompany-vpn general-attributes
 authorization-server-group ISE

Cisco ISE configuration

This would allow ISE to process the authorization and everything should work correctly. You can enforce MFA using Azure "Conditional Access".

Reference
Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect
Learn how to configure single sign-on between Azure Active Directory and Cisco AnyConnect.
Enable Azure Multi-Factor Authentication
In this tutorial, you learn how to enable Azure Multi-Factor Authentication for a group of users and test the secondary factor prompt during a sign-in event.
Buy me a coffeeBuy me a coffee