Security

We are wanting to use MFA with our Cisco VPN solution.  We already have MFA working with our 365 solution, but want to leverage this for our VPN as well. 

 

Right now I have a working VPN authentication to Clearpass and have a separate service created that I will be testing with.  I have a fresh NPS server setup and the ASA I am testing with is sending requests to the NPS server.  

 

The issue I am having now is am I using the right order for authentication for this setup?

ASA (VPN) --> MS NPS --> Clearpass ---> AD

Or Should I be doing this?

ASA (VPN)--> Clearpass ---> MS NPS --- AD

 

The first one seems like the correct way, but what I see now is the VPN login hits the NPS but never forwards the request to Clearpass.  I am trying to get this working before I do the Azure Connect to NPS for the secondary Auth.  I know I need to configure the NPS a bit more, but want to make sure I have the logical flow correct before digging too deep. 

 

Any help with the path question will help me greatly.  Thanks. 

You will need to use the second option with the Azure NPS connect , ClearPass will need to proxy all the request to NPS



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thank you. That answers my question exactly

Integrate your ASA directly with Azure AD and use Conditional Access to enforce policy. There is no need to go through CPPM.

 

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect