Hi,
We currently have our Cisco Anyconnect VPN setup using Azure AD SAML authentication and ISE for authorization.
However, one corner case is Sign-on Before Login (SBL), which does not support SAML auth. Basically when we send a user a new laptop they need to sign in to VPN at first turn on before logging in, to get onto our AD and get all the MS goodness pushed to their machines, a one time process.
The MS authenticatior app has a built in OTP function, however I couldn't find how to get this to talk RADIUS with either the ASAs or ISE. If I were able to get this done, I'll just create a separate SBL VPN profile for users to use in this instance, which just uses RADIUS. This way we didn't give on MFA for this niche situation
Does anyone know how to get this to work, or perhaps have a more elegant solution?
-JJ
No comments:
Post a Comment