Please explain authentication Flow for Azure MFA with cisco VPN?

Chopra 126 Reputation points
2021-12-01T06:33:25.337+00:00

I am looking to understand the authentication flow if the following is configured

  1. Azure MFA + NPS + onprem AD
  2. Azure MFA + Cisco VPN
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,832 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,423 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-12-01T09:14:04.53+00:00

    Hi @Chopra • Thank you for reaching out.

    Azure MFA + NPS + onprem AD

    • VPN appliance receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
    • NPS Server connects to on-prem AD to perform the primary authentication for the RADIUS requests and, upon success, passes the request to the NPS extension.
    • NPS Extension triggers a request to Azure AD MFA for the secondary authentication.
    • Azure MFA communicates with Azure AD to retrieve the user's details and performs the secondary authentication using a verification method configured to the user.

    Read more: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

    Azure MFA + Cisco VPN

    • Cisco Anyconnect is available as an enterprise application in Azure AD and can be directly federated with Azure AD using SAML.
    • When it receives requests from VPN clients, it presents the Azure AD Sign-in page for the user to perform the first-factor authentication.
    • User will be prompted for MFA if a Conditional Access policy is configured to trigger MFA for the Cisco Anyconnect enterprise application.
    • Once the authentication is completed successfully, SAML assertion is issued for Cisco Anyconnect and the connection is established afterward.

    Read more: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Limitless Technology 39,341 Reputation points
    2021-12-01T16:18:37.95+00:00

    Hi there,

    Azure MFA + NPS + onprem AD

    Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.

    You can use this article to understand the Flow https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

    Authentication flows and application scenarios https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  3. grimson 21 Reputation points
    2021-12-17T12:01:11.207+00:00

    Please also keep in mind that you need Azure AD P1 licenses for the NPS plugin (on premise). Technically if you have one P1 license your Tenant is Azure AD P1 ready but you have to license all NPS users (not yet technically enforced). (please correct me if i'm wrong)

    Source:
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#feature-comparison-based-on-licenses
    *MFA for on-premises applications

    0 comments