topic Re: ISE Azure AD ? in Network Access Control

ISE Azure AD ?

Cristian Venegas — Mon, 14 Sep 2020 19:46:53 GMT

Folks,

We’ve got a customer who is adopting Azure AD and has operations in several countries.

Their use case includes 802.1X for wired/wireless, VPN and Guest services.

As far as i know, we currently support Azure AD with SAML, which could take care of the Guest Services and VPN part of the request (https://community.cisco.com/t5/security-documents/notes-on-azure-ad-as-saml-idp/ta-p/3644255). However, for 802.1X wired/wireless services, it is my understanding that we officially do not support it yet (https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/td-p/3805022). I’ve seen some notes on the possibility about using LDAPS, but this approach has limitations (ie: PEAP-MSCHAP-v2). Other folks advise to join MS AD directly. It is my understanding that ISE on Public Cloud is on the roadmap as well.

Please, any advise, experiences, ideas, official take on on this or roadmap information is more than welcome.

Thank you.

Regards,

.:|:.:|:. Cristian Venegas | Technical Solutions Architect - Security | +56 (9) 9632 1494 | crvenega@cisco.com

Re: ISE Azure AD ?

Greg Gibbs — Tue, 15 Sep 2020 02:27:49 GMT

The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.

Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm

Re: ISE Azure AD ?

surasky — Mon, 26 Oct 2020 15:42:18 GMT

ISE 3.0 supports 802.1X with Azure AD using ROPC.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/release_notes/b_ise_30_rn.html#concept_uhf_4rm_gnb

Re: ISE Azure AD ?

pattani.parag23 — Fri, 06 Nov 2020 12:07:18 GMT

Hi Surasky

We are planning to Implement - > ( 802.1X + MAB ) For Wired and Wireless Corporate user on ISE 3.0 with Azure AD using ROPC.

We are lookin here Implementation guide.

Requesting to you please share.

Regards

Re: ISE Azure AD ?

Nicolai Borchorst — Fri, 06 Nov 2020 17:59:12 GMT

See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

There is only limited 802.1X Support, and ROPC is only supported using EAP-TTLS with PAP as the inner method (Clear Text). This means support for somewhat unsecure username/password, it's in clear text but it is encapsulated in the EAP-TTLS outer tunnel. There is no support for Certificates yet.

For now i would recommend looking into doing a combination of 802.1X and MDM Integration instead of ROPC.

Re: ISE Azure AD ?

pattani.parag23 — Mon, 09 Nov 2020 18:03:57 GMT

I have gone through that link but could not find ISE Configuration Guide its is only Azure Configuration Guide. Can you help me what ISE configuration required in 3.0 ?

Regards

Re: ISE Azure AD ?

bergamok — Wed, 13 Dec 2023 15:28:33 GMT

Has something changed in the last 3 years? is ROPC still not recommended for production?

Thanks

Re: ISE Azure AD ?

Greg Gibbs — Wed, 13 Dec 2023 21:01:35 GMT

ROPC still has significant performance limitations (max 50 authentications per second) and user experience issues. See this blog for available options related to Entra ID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635