Wednesday, December 16, 2020

AnyConnect VPN with Microsoft NPS RADIUS and Azure MFA extension - Group Lock

Looking for some help I can't quite wrap my head around....sorry, it's a long story:

So we have Cisco FirePower FTD appliances for VPN headend, but we need to use Microsoft Azure for MFA. I have this all working via the Microsoft NPS RADIUS server and the Azure MFA extension for NPS.

However, the NPS extension has a caveat regarding RADIUS AVP data being returned during certain MFA scenarios: If your user uses SMS or App Code verification methods, the RADIUS attributes you have setup in the NPS policy are not returned to the VPN appliance.

This is a problem because I was trying to use Class 25 AVP to return the AnyConnect Group Policy I want the matching user to get.

So, now I think I need to create 2 separate VPN Connection Profiles (aka Tunnel Group), with each Profile getting the specific Group Policy applied as the default. My users will have to be trained to connect to the different profiles depending on the access they need.

But I need to configure FTD so that only certain users can login to each connection profile. I believe I can do this with something called "Group Lock", but this requires RADIUS AVP again, so I think I will just run into the caveat above again.

Is there some way I can lock a Connection Profile to specific user group, while also leveraging NPS Azure MFA extension? Does anybody have experience with this?



No comments:

Post a Comment