I'd recommend you use SAML with your VPN solution directly to AAD and not go
through ISE.
From: The EDUCAUSE Wireless Issues Community Group Listserv
on behalf of James Andrewartha
Sent: Thursday, August 26, 2021 10:50
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Isn’t SAML entirely a web-based thing? Sure, you can tie it into the actual
website URL of your ASA, but what about logging in directly from the AnyConnect
client itself? This is not referenced in any documents I’ve seen so far. Is
this possible?
website login for AnyConnect would be
You can separate the authentication and the authorization if you want to use
ISE for controlling authorization. If your vpn solution is cisco, the ASA can
talk directly to Azure via SAML and then send authorization requests separately
to ISE. For Duo, you can set up a Duo Proxy via ISE and
I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML
against AzureAD including MFA.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
Jeff
From: The EDUCAUSE Wireless Issues
We are talking VPN here and for the entire campus…
Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6,
Microsoft note this behaviour and have some sort of workaround in their NPS MFA
extension:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension
Really though, doing MFA for RADIUS is a square peg in a round
A question not directly related to Wi-Fi, but related to ISE which seems to be
something some of you use.
We are currently authenticating a VPN test group via ISE through NPS servers
(defined as a token server).
The goal is to do MFA with Azure through the Authenticator app on people’s
phones.