none
Azure MFA using LDAP with Cisco Anyconnect Issue RRS feed

  • Question

  • Hi Guys,

    So we are implementing AZure MFA using cisco anyconnect (ASA)

    Topology :

    ASA ----AZURE MFA --- LDAP

    so we tested using Radius and it's working fine (prompting the sms authentication page)

    but when we are using LDAP then it's not prompting 2nd authentication, it just give us login fail prompt, but we did receive the sms.

    For the ASA debug I can see that the reponse is fail. Is there any way to check on MFA server ?

    The user we already tested and it's working fine to authenticate (RADIUS).

    The reason we need LDAP is to have auto map with LDAP profile .

    Thanks for the help guys,

    Friday, September 9, 2016 3:01 AM

Answers

  • If using LDAP to communicate with MFA Server, you must use phone call, two-way SMS (not recommended outside North America) or mobile app. You cannot use one-way SMS or OATH tokens because there is no way to prompt the user for their OTP after validating the username and password. Some systems will allow you to configure authentication and authorization separately so you can do authentication via RADIUS to MFA Server and then do authorization directly to AD. I don't recall if Cisco ASA has that capability or not. If not, you could try using RADIUS to MFA Server and have it proxy the RADIUS requests to NPS. You could then configure NPS to return group membership information. MFA Server should proxy that information back from NPS. However, you'll need to use PAP instead of MSCHAPv2 if you need to use one-way SMS or OATH tokens. Otherwise, you can use LDAP but will need to ensure that all users are using phone call, two-way SMS or mobile app.
    Tuesday, September 13, 2016 10:24 PM
    Moderator

All replies

  • Hi,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Azam Khan

    Friday, September 9, 2016 7:00 PM
  • Hi Azam,

    Thanks for looking into this. 

    Another thing is since the customer needed to have specific profile tie to user group, we discuss and the we want to try using ASA group-policy (drop-down) which user can choose.

    This one we are facing quite funny issue, 1st time user authenticate , it's successful then we test the user to disconnect and reconnect , we get authentication fail.

    Appreciate if you can advise on this also.

    Thanks,

    Tuesday, September 13, 2016 3:38 AM
  • If using LDAP to communicate with MFA Server, you must use phone call, two-way SMS (not recommended outside North America) or mobile app. You cannot use one-way SMS or OATH tokens because there is no way to prompt the user for their OTP after validating the username and password. Some systems will allow you to configure authentication and authorization separately so you can do authentication via RADIUS to MFA Server and then do authorization directly to AD. I don't recall if Cisco ASA has that capability or not. If not, you could try using RADIUS to MFA Server and have it proxy the RADIUS requests to NPS. You could then configure NPS to return group membership information. MFA Server should proxy that information back from NPS. However, you'll need to use PAP instead of MSCHAPv2 if you need to use one-way SMS or OATH tokens. Otherwise, you can use LDAP but will need to ensure that all users are using phone call, two-way SMS or mobile app.
    Tuesday, September 13, 2016 10:24 PM
    Moderator
  • Hi Shawnb_ms,

    Any guide for the Radius + Authorization thru AD ?

    Would be good if there is guide for this.

    Thanks,

    Wednesday, September 14, 2016 3:39 AM