date:20210826

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Tim Cappalli

I'd recommend you use SAML with your VPN solution directly to AAD and not go 
through ISE.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Thursday, August 26, 2021 10:50
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).

The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.

Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse

CCNP, CWNE #275, AWA 10, ESCE Design

Direction des technologies de l'information

Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)

G1V 0A6, Canada

418 656-2131, poste 412853
Télécopieur : 418 656-7305

manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Matthew Craig


Isn’t SAML entirely a web-based thing?  Sure, you can tie it into the actual 
website URL of your ASA, but what about logging in directly from the AnyConnect 
client itself?  This is not referenced in any documents I’ve seen so far.  Is 
this possible?

website login for AnyConnect would be unfriendly to many users who are already 
hostile to having to use VPN in the first place.



My research on the topic is that many people are going to ISE 3.0 and using PAP 
to go to Azure AD for RA AnyConnect.  Additionally Azure AD doesn’t seem to 
support PEAP-MSCHAPv2 right now, which does directly concern wireless.  (and 
yes I know EAP-TLS is the the way that it “should” be done, but the “should" 
doesn’t materialize into reality for many people.  Many simply are not in a 
position to roll out EAP-TLS)

Azure AD seems to be designed with Cloud web-apps in mind only, and this 
apparently is creating alot of gaps on the Networking end, and Microsoft is not 
in the Networking business to care.


Please correct me on any point, I do have alot of knowledge gaps on this 
subject.


-
Matt







On Aug 26, 2021, at 9:14 AM, Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:

WARNING: This email originated external to the NMSU email system. Do not click 
on links or open attachments unless you are sure the content is safe.
I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
against AzureAD including MFA.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Manon Lessard 
mailto:manon.less...@dti.ulaval.ca>>
Date: Thursday, August 26, 2021 at 7:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, August 26, 2021 at 10:50 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Manon Lessard 
mailto:manon.less...@dti.ulaval.ca>>
Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, 26 August 2021 at 10:20 pm
To:

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Heavrin, Lynn

You can separate the authentication and the authorization if you want to use 
ISE for controlling authorization.  If your vpn solution is cisco, the ASA can 
talk directly to Azure via SAML and then send authorization requests separately 
to ISE.  For Duo, you can set up a Duo Proxy via ISE and the ASA would only 
talk to ISE, but I’m not sure Azure has that.  I like having ISE in the mix on 
our Anyconnect VPN for auditing and pulling authentication reports, especially 
if you have multiple vpn profiles.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Date: Thursday, August 26, 2021 at 10:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
against AzureAD including MFA.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Date: Thursday, August 26, 2021 at 7:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 26, 2021 at 10:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Jeffrey D. Sessler

I 2nd Tim’s suggestion.  If the VPN is Cisco-based, they support using SAML 
against AzureAD including MFA.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Date: Thursday, August 26, 2021 at 7:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 26, 2021 at 10:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread Manon Lessard

We are talking VPN here and for the entire campus…

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, August 26, 2021 at 10:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

2021-08-26 Thread James Andrewartha

Microsoft note this behaviour and have some sort of workaround in their NPS MFA 
extension: 
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension

Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to 
provision a client cert and do EAP-TLS instead.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Manon Lessard 

Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 26 August 2021 at 10:20 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

ISE-NPS-Azure MFA

2021-08-26 Thread Manon Lessard

A question not directly related to Wi-Fi, but related to ISE which seems to be 
something some of you use.

We are currently authenticating a VPN test group via ISE through NPS servers 
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s 
phones.
Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 
times, even if one has accepted the first confirmation…

I would like to have feedback from people who used something like that and have 
solved the multiple Authenticator prompts.

Thank you

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

Re: [WIRELESS-LAN] ISE-NPS-Azure MFA

ISE-NPS-Azure MFA

7 matches

Site Navigation

Mail list logo

Footer information