I recently configured Azure MFA to authenticate AnyConnect users connecting to a FTD firewall. This required some odd workarounds.

Problems to work around

  1. FTD cannot do SAML, must use RADIUS for AnyConnect AAA (note: later versoins of FTD are SAML capable)
  2. Microsoft NPS with Azure MFA extension must be used for RADIUS Integration to Azure MFA
  3. Microsoft NPS has a limited number of attributes it can filter incoming RADIUS requests on
  4. Customer has a need to only allow certain AD groups access to certain tunnel groups

Authentication Flow

  1. Firewall sends Access-Request to ISE
  2. ISE adds RADIUS:NAS Identifier attribute to Access-Request based on CVPN3000/ASA/PIX7x-Tunnel-Group-Name
  3. NPS filters incoming requests based on NAS Identifier to appropriately authenticate different tunnel groups and does primary authentication against AD.
  4. NPS requests secondary authentication from Azure MFA
  5. Azure MFA completes MFA with user, based on the user’s default MFA method. There is no way to select this during the authentication sequence.
  6. NPS sends result back to ISE
  7. ISE proxies result back to FTD

Authentication Diagram

Authentication Diagram

Identity Services Engine (ISE) Configuration

Network Policy Server (NPS) Configuration

Firepower Threat Defense (FTD) Configuration

User Experience


The NPS logs are a pain to use for troubleshooting. I wrote a quick python script to help parse the logs. You can find it here: https://github.com/gosse/interpret-nps-logs.