Microsoft MFA / Cisco VPN anyconnect

Posted by cryptofuturebright@reddit | sysadmin | View on Reddit | 10 comments

Anyone using these two together? If so any gotchas you discovered during the transition?

Reply to Post

10 Comments

[-]

AbleAmazing@reddit

We have in the past. It's pretty easy to setup via SAML. The one gotcha I recall is SBL. Cisco doesn't allow SAML authentication with SBL because any browser-based workload would run as NT AUTHORITY\SYSTEM at the logon screen.

[-]

AppIdentityGuy@reddit

What’s SBL?

[-]

AbleAmazing@reddit

Start before logon. Allows you to establish a VPN connection before logging into Windows. Gives remote machines line of sight to DCs for things like GPO and logon scripts.

[-]

AppIdentityGuy@reddit

Oh duh me being stupid..

[-]

cryptofuturebright@reddit (OP)

Thanks for the tip. We are looking to do SBL, uhg didn't think of that. Are there any work arounds?

[-]

AbleAmazing@reddit

Not sure. This was three years ago that we last used it. There may be workarounds I am unaware of. You could consider Duo instead of Azure MFA--but it's an additional cost.

[-]

shaad20@reddit

We use it, absolutely no gotchas from my perspective, any connect is probably the least problematic rollout I’ve ever done. Number matching hasn’t started being forced on our users for any services, but there’s a potential gotcha there if you don’t do the registry edits

[-]

cryptofuturebright@reddit (OP)

Thanks for the tip. Are you saying reg edits are needed for the mfa number matching supoort? We have number matching enabled.

[-]

shaad20@reddit

If you’re using the NPS extension, then yes I believe there’s a regedit you have to do in order to support number matching, or alternatively to just get push notifications

[-]

AppIdentityGuy@reddit

Why would you use the NPS extension when the CISCO devices can authenticate directly against Azure AD? Not being critical just curious.