I would check your RADIUS timeout. The RADIUS session times out waiting for the MFA and it retries, resulting in multiple confirmations.
Sent from my iPhone > On Aug 26, 2021, at 11:50 AM, Heavrin, Lynn <lheav...@wustl.edu> wrote: > > > Anyconnect has a SAML built-in browser (which doesn’t seem to share SSO > sessions unfortunately) and I believe you can also have it open up your > preferred browser at least on windows anyway. I have it running in my lab > right now and seems to work fine, though it’s been finnicky at best until > recently. Here’s a screenshot of what it looks like on Mac OS. It pops up > automatically then connects like normal after creds are confirmed. > > <image001.png> > > I’ll tell you it’s a much better experience for your users if they’re used to > logging in via SAML to other university resources because it’s familiar and > not the ugly anyconnect login client page. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Matthew Craig > <matcr...@nmsu.edu> > Date: Thursday, August 26, 2021 at 12:35 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > > Isn’t SAML entirely a web-based thing? Sure, you can tie it into the actual > website URL of your ASA, but what about logging in directly from the > AnyConnect client itself? This is not referenced in any documents I’ve seen > so far. Is this possible? > > website login for AnyConnect would be unfriendly to many users who are > already hostile to having to use VPN in the first place. > > > > My research on the topic is that many people are going to ISE 3.0 and using > PAP to go to Azure AD for RA AnyConnect. Additionally Azure AD doesn’t seem > to support PEAP-MSCHAPv2 right now, which does directly concern wireless. > (and yes I know EAP-TLS is the the way that it “should” be done, but the > “should" doesn’t materialize into reality for many people. Many simply are > not in a position to roll out EAP-TLS) > > Azure AD seems to be designed with Cloud web-apps in mind only, and this > apparently is creating alot of gaps on the Networking end, and Microsoft is > not in the Networking business to care. > > > Please correct me on any point, I do have alot of knowledge gaps on this > subject. > > > - > Matt > > > > > > > > > On Aug 26, 2021, at 9:14 AM, Jeffrey D. Sessler <j...@scrippscollege.edu> > wrote: > > WARNING: This email originated external to the NMSU email system. Do not > click on links or open attachments unless you are sure the content is safe. > I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML > against AzureAD including MFA. > > https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html > > Jeff > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard > <manon.less...@dti.ulaval.ca> > Date: Thursday, August 26, 2021 at 7:54 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > We are talking VPN here and for the entire campus… > > Manon Lessard > Chargée de programmation et d’analyse > CCNP, CWNE #275, AWA 10, ESCE Design > Direction des technologies de l'information > Pavillon Louis-Jacques-Casault > 1055, avenue du Séminaire > Bureau 0403 > Université Laval, Québec (Québec) > G1V 0A6, Canada > 418 656-2131, poste 412853 > Télécopieur : 418 656-7305 > manon.less...@dti.ulaval.ca > www.dti.ulaval.ca > Avis relatif à la confidentialité | Notice of Confidentiality > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of James Andrewartha > <jandrewar...@ccgs.wa.edu.au> > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Date: Thursday, August 26, 2021 at 10:50 AM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > Microsoft note this behaviour and have some sort of workaround in their NPS > MFA extension: > https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension > > Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA > to provision a client cert and do EAP-TLS instead. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard > <manon.less...@dti.ulaval.ca> > Reply to: The EDUCAUSE Wireless Issues Community Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Date: Thursday, 26 August 2021 at 10:20 pm > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA > > A question not directly related to Wi-Fi, but related to ISE which seems to > be something some of you use. > > We are currently authenticating a VPN test group via ISE through NPS servers > (defined as a token server). > The goal is to do MFA with Azure through the Authenticator app on people’s > phones. > Everything works, but Authenticator pops up for confirmation, sometimes 2 to > 3 times, even if one has accepted the first confirmation… > > I would like to have feedback from people who used something like that and > have solved the multiple Authenticator prompts. > > Thank you > > Manon Lessard > Chargée de programmation et d’analyse > CCNP, CWNE #275, AWA 10, ESCE Design > Direction des technologies de l'information > Pavillon Louis-Jacques-Casault > 1055, avenue du Séminaire > Bureau 0403 > Université Laval, Québec (Québec) > G1V 0A6, Canada > 418 656-2131, poste 412853 > Télécopieur : 418 656-7305 > manon.less...@dti.ulaval.ca > www.dti.ulaval.ca > Avis relatif à la confidentialité | Notice of Confidentiality > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > > The materials in this message are private and may contain Protected > Healthcare Information or other information of a sensitive nature. If you are > not the intended recipient, be advised that any unauthorized use, disclosure, > copying or the taking of any action in reliance on the contents of this > information is strictly prohibited. If you have received this email in error, > please immediately notify the sender via telephone or return mail. > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
