topic Re: ISE integration with AD on Azure for Authentication in Network Access Control

ISE integration with AD on Azure for Authentication

Karim Bellassoued — Wed, 12 Feb 2020 09:33:46 GMT

Hi team,

I just wanted to confirm if we can use Active Directory on Azure for users authentication with ISE.

Thanks in advance for your help.

Best regards,

Re: ISE integration with AD on Azure for Authentication

Mark Elsen — Wed, 12 Feb 2020 09:51:16 GMT

- Yes as a couple of the info's below will confirm :

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

Re: ISE integration with AD on Azure for Authentication

Karim Bellassoued — Wed, 12 Feb 2020 10:46:48 GMT

Thanks Marce1000 .

Re: ISE integration with AD on Azure for Authentication

Arne Bier — Thu, 13 Feb 2020 12:44:33 GMT

Hi @Mark Elsen

I'd double-check that, since ISE does not allow Azure AD to be added as an external identity source. Yes, ISE does have SAML integration with Azure AD - but that is quite different than offering MSChapv2 authentication for things like EAP-PEAP authentication. As far as I know, you can not use Azure AD for credential authentication for EAP-PEAP (even if you managed to get a Secure LDAP connection to Azure AD - the password challenge doesn't work over LDAP). You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group).

Re: ISE integration with AD on Azure for Authentication

Greg Gibbs — Thu, 13 Feb 2020 21:57:47 GMT

Any integration with Azure AD would be done via SAML IdP and ISE does not currently support using a SAML IdP for endpoint authentication. SAML IdP is only supported for authentication of the following portals:

Guest portal (sponsored and self-registered)
Sponsor portal
My Devices portal
Certificate Provisioning portal

See the ISE Admin Guide for more information.

Cheers,

Greg

Re: ISE integration with AD on Azure for Authentication

netizenden — Tue, 10 Nov 2020 16:26:05 GMT

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0. Need to confirm tho myself.

Re: ISE integration with AD on Azure for Authentication

sdcorn — Wed, 17 Mar 2021 20:17:39 GMT

netizenden, did you ever confirm if AD on Azure can be used for EAP authentication with ISE 3.0?

Re: ISE integration with AD on Azure for Authentication

Greg Gibbs — Thu, 18 Mar 2021 01:56:07 GMT

See a similar discussion here:

https://community.cisco.com/t5/network-access-control/ise-azure-ad/td-p/4150923

The short answer is that this can only be done directly via ROPC which is very bleeding-edge has its own caveats and limitations.

Re: ISE integration with AD on Azure for Authentication

stayd — Thu, 16 Nov 2023 12:19:17 GMT

Hi Greg Gibbs,

after almost 3 years later, is there any change in SAML IdP for endpoint authentication ?

Re: ISE integration with AD on Azure for Authentication

Greg Gibbs — Thu, 16 Nov 2023 21:16:41 GMT

@stayd... No. SAML is browser-based, so it would require some significant updates to existing EAP protocols or a new EAP protocol to provide this functionality. This is not an ISE limitation, but rather an industry-wide limitation.

See this blog discussion for current options with ISE and Entra ID.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune

Re: ISE integration with AD on Azure for Authentication

Sdiana — Mon, 17 Mar 2025 22:49:50 GMT

Hi Greg,

Does it mean SAML can't not be used for Authorization either? @Arne has mentioned in this post: "You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group)."

Re: ISE integration with AD on Azure for Authentication

Greg Gibbs — Mon, 17 Mar 2025 23:48:06 GMT

No. The currently available options for authentication/authorization of users and devices against Entra ID are in the blog post I previously shared the link for below.

Re: ISE integration with AD on Azure for Authentication

Sdiana — Tue, 18 Mar 2025 02:31:04 GMT

Thank you, Greg for the reply. Would you also have info about ISE release roadmap? This link cs.co/ise-pm is Cisco internal. We are deploying ISE 3.3 patch 4 instances in AWS for our customer and want to make sure this release will be Cisco recommended release for at least next 6-7 months.

Re: ISE integration with AD on Azure for Authentication

Greg Gibbs — Tue, 18 Mar 2025 20:57:48 GMT

Roadmap is not discussed on public forums. Personally (this is not a commitment from Cisco), I would expect that 3.4 would be designated the recommended release somewhere between 3-6 months from now, but I certainly would not deploy 3.4p1 in production at this time.