https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985882#M455582 <P>Thanks for the reply.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><SPAN>They are using machine based certificates. Is that the same as machine authentication? And if not what would machine authentication look like in ISE?</SPAN></P> Tue, 19 Nov 2019 13:30:50 GMT boclabor 2019-11-19T13:30:50Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985587#M455580 <P><SPAN>I would like to ask a question about ISE and Azure AD. Today ISE use’s traditional AD DC controllers for account lookup and attributes to measure the user with for network access. The company is moving to Azure AD in the cloud. There will still be on premises AD controllers specifically where ever there is a PSN. For obvious reasons that’s takes care of any latency problems. The differences is the on premises AD controllers will not contain any of the user’s computer objects. Does an on prem AD controller that gets its feed via the AD connector from AZURE AD and contains Zero computer objects affect ISE in any way?</SPAN></P> Mon, 18 Nov 2019 22:37:13 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985587#M455580 boclabor 2019-11-18T22:37:13Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985593#M455581 <P>The Azure AD Connector running as a Service on the on-prem AD can receive objects from Azure. This means you create accounts in Azure portal and then they appear on the on-prem server. The opposite is true too - you can create objects on-prem and have them sync'd to Azure AD.</P> <P>Not sure what you mean by "Zero computer objects"? If you're authenticating users via AD then I suppose you don't need the computer objects. But if you're doing machine authentication then I would argue that those accounts should reside on the on-prem AD servers??? It's been a while since I set up our Sync, but perhaps you can also sync machine objects to Azure AD.</P> <P>&nbsp;</P> Mon, 18 Nov 2019 22:47:52 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985593#M455581 Arne Bier 2019-11-18T22:47:52Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985882#M455582 <P>Thanks for the reply.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><SPAN>They are using machine based certificates. Is that the same as machine authentication? And if not what would machine authentication look like in ISE?</SPAN></P> Tue, 19 Nov 2019 13:30:50 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3985882#M455582 boclabor 2019-11-19T13:30:50Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986005#M455583 <P>No, machine authentication requires a computer object in AD, and a successful directory user authentication to that machine. It is specifically enabled in the ISE AD connector on the advanced tab.&nbsp; Machine certificates would be used for (typically) EAP-TLS authentication outside of Active Directory.</P> Tue, 19 Nov 2019 15:43:10 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986005#M455583 msmith101 2019-11-19T15:43:10Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986172#M455584 <P><SPAN>Thanks for the machine object clarification.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Will ISE integrate with Azure AD with on </SPAN><SPAN class="SpellE">prem</SPAN><SPAN> ISE and how. For example is that with on </SPAN><SPAN class="SpellE">prem</SPAN><SPAN> AD controllers or ISE can talk directly with Azure AD in the cloud?&nbsp; I have heard for some time ISE is on the cusp of integrating with Azure AD.&nbsp;</SPAN></P> Tue, 19 Nov 2019 19:32:14 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986172#M455584 boclabor 2019-11-19T19:32:14Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986230#M455585 <P>Let's define "integrate with" : in terms of an external identity source, ISE can be configured with an on-prem Active Directory Controller using the AD Integration or LDAP. If you use LDAP, then you're limited in terms of the password authentication that LDAP will support. There <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5" target="_self">is a table in the User Guide</A> that shows that.&nbsp;</P> <P>If you hosted your AD controllers in the public cloud then you could in theory integrate ISE with that too (over an AWS VPC etc.) - in that case your data centre lives in the public cloud and your ISE server may be on-prem - some hybrid arrangement.</P> <P>If you think of "cloud-native" Azure-AD, then ISE does not have an integration for that. But you could use secure LDAP to tunnel your LDAP requests from on-prem to the public cloud. But the results are not the same as doing ISE&lt;-&gt;AD integration (see table link above).&nbsp;</P> <P>&nbsp;</P> <P>It certainly would be nice to have a cloud native integration. I would recommend sending a feature request <A href="https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A7707FD7A6" target="_self">via the Feedback link</A>&nbsp;to the PM.</P> <P>&nbsp;</P> <P>regards</P> <P>&nbsp;</P> Tue, 19 Nov 2019 21:37:43 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/3986230#M455585 Arne Bier 2019-11-19T21:37:43Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4398933#M567175 <P>Arnie, If you have current implementation with on Prem AD, can you add Azure AD to the mix if starts issuing certificates to machines and be seen and validated.</P> Thu, 06 May 2021 18:01:12 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4398933#M567175 raymondmf 2021-05-06T18:01:12Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4399072#M567183 <DIV id="bodyDisplay_0" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>The only current method for authenticating 802.1x against AzureAD requires using ISE 3.0 and ROPC.</P> <P>See the <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html" target="_blank" rel="noopener nofollow noreferrer">Configure ISE 3.0 REST ID with Azure Active Directory</A> TechNote for more information.</P> </DIV> </DIV> Fri, 07 May 2021 01:14:40 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4399072#M567183 Greg Gibbs 2021-05-07T01:14:40Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4821313#M581365 <P>Hi Greg Gibbs,</P><P>I want to connect mi cisco ise 2.6 to Azure AD, is it possible ? If its possible could you share any cisco reference about that ?<BR />I want my laptop join AD via Cisco ISE.</P><P>Regards<BR />Serge</P> Tue, 25 Apr 2023 12:54:50 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4821313#M581365 sdjoumgoue 2023-04-25T12:54:50Z https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4821483#M581372 Hi,<BR /><BR />It's only supported from ISE 3.0 onwards. FYI<BR /><BR /><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635" target="_blank">https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635</A><BR /><BR />****please remember to rate useful posts<BR /><BR /> Tue, 25 Apr 2023 16:48:59 GMT https://community.cisco.com/t5/network-access-control/ise-and-azure-ad/m-p/4821483#M581372 Mohammed al Baqari 2023-04-25T16:48:59Z