We want there to be a prompt for MFA every time any user signs in the the anyconnect client. Im guessing that many others have heard of, or using the pair of Azure MFA with Cisco Anyconnect. Log in to Azure Portal and select Azure Active Directory. Azure MFA at every sign in for Cisco Anyconnect Hi. Unless you can add all of the MX dynamic names to the entity ID config in the same azure An圜onnect enterprise app, not sure though. Add Cisco An圜onnect from the Microsoft App GalleryStep 1. But I don't call the shots :/Īll that to say, yes I think you need the dynamic name of the MX, which possibly means you might need an Enterprise app for each MX. My supervisor views that as a loss for security, because if the users laptop and password were compromised an attacker would be able to boot up the laptop and connect to the VPN without an MFA prompt, obviously that is worst case scenario and also unlikely to happen. I even created an Azure conditional access policy for the An圜onnect app that said MFA was required hoping that meant it would require MFA for each sign in to An圜onnect and it did not. But when you use the SAML configuration, MFA is not triggered every time because it maintains a SSO token on the machine. Also, my current config is to use Radius for An圜onnect auth, which I then did the Azure NPS extension to force MFA, which triggers MFA each time a user connects to the VPN. The bummer for me was that the SAML method doesn't support the An圜onnect "start before logon", so I can't really use it for reasons. I just set it up the other day and I did use the dynamic DNS name of the mx in the Azure config and everything worked as expected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |