topic Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication in Network Access Control

Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication

Jithishkk1514 — Fri, 11 Jun 2021 15:05:23 GMT

Hello Team,

We are going to deploy Cisco ISE 3.0 with azure AD, There is a requirement from customer to integrate the security and network devices for TACACS user authentication.

This solution is possible with Cisco ISE with Azure AD ,as i understand only ROPC protocol works between Cisco ISE & Azure AD.

Please help.

Regards,

Jithish K K

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication

thomas — Fri, 11 Jun 2021 23:59:58 GMT

From the ISE Admin Guide:

SAMLv2 Identity Provider as an External Identity Source

SAML SSO is supported for the following portals:

Guest portal (sponsored and self-registered)

Sponsor portal

My Devices portal

Certificate Provisioning portal

You cannot select IdP as external identity source for BYOD portal, but you can select an IdP for a guest portal and enable BYOD flow.

Cisco ISE is SAMLv2 compliant and supports all SAMLv2 compliant IdPs that use Base64-encoded certificates. The IdPs listed below have been tested with Cisco ISE:

Oracle Access Manager (OAM)

Oracle Identity Federation (OIF)

SecureAuth

PingOne

PingFederate

Azure Active Directory

The IdP cannot be added to an identity source sequence.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication

Jithishkk1514 — Mon, 14 Jun 2021 10:49:29 GMT

Thanks Thomas,

Can you please confirm whether TACACS can be used in ISE 3.0 version with Azure AD.?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication

Greg Gibbs — Wed, 16 Jun 2021 03:08:56 GMT

The Device Admin Policy Set does not support Authorization Policy conditions using the ROPC Azure AD store. As such, you cannot match on AzureAD groups for differentiated device admin access.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

hasitha siriwardhana — Tue, 01 Nov 2022 06:16:22 GMT

Is TACACS authentication/Authorization for network device support with ISE 3.2 and azure AD?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Wed, 02 Nov 2022 21:09:03 GMT

No, there is no change to this behaviour in the current release of ISE 3.2.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

kirk.thibodeaux — Thu, 16 Mar 2023 17:57:37 GMT

Is there a way to pass the Authentication with AzureAD and handle authorization on Cisco ISE?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Thu, 16 Mar 2023 21:09:18 GMT

As I stated earlier in this thread:
"The Device Admin Policy Set does not support Authorization Policy conditions using the ROPC Azure AD store. As such, you cannot match on AzureAD groups for differentiated device admin access."

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

emgalanme — Tue, 25 Apr 2023 21:28:52 GMT

Hey Greg. Is user authentication supported with ISE + Azure AD for tacacs (not authorization) in ISE 3.2 ?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Wed, 26 Apr 2023 01:29:12 GMT

Technically yes, you can use an ROPC Identity Store in the Device Admin Authentication Policy. The Authentication session will pass, but the Authorization session will result in a process failure.

You could mitigate the process failure by configuring the advanced option for 'If process fail = CONTINUE' but there would still be no way to differentiate authorization for different levels of admin access (Read-Write versus Read-Only, for example). You would be limited to the result of the Default Authorization Policy.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

steve.berglund — Thu, 04 May 2023 16:30:56 GMT

The process fail option didn't actually work, since the secondary authentication results in a user not found, not necessarily a process failure. So the only way to make it "work" is a user not found-continue, which ends up allowing any Bunk username to pass. Which is obviously not an option...

Recommendation is to either use on prem MS AD or local accounts in ISE.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

mike.bradley — Mon, 28 Oct 2024 19:40:30 GMT

When will Cisco support AZURE saml IDP for TACACS+ authentication?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Mon, 28 Oct 2024 21:44:21 GMT

First of all, roadmap is not discussed on this public forum.

Secondly, SAML is browser-based so I'm not sure how that would work with TACACS+. The client itself would have to be able to pop up a browser to complete the authentication.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

MSJ1 — Wed, 18 Feb 2026 22:27:21 GMT

@Greg Gibbs Is there in the behavior if ise version is 3.4 or 3.5 now to do external authentication for Device Administration using Entra ID ?

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Sun, 22 Feb 2026 22:02:44 GMT

The first stop for questions like this should be to review the Release Notes found at https://cs.co/ise-docs

This is a new feature in ISE 3.5 and is clearly documented in those Release Notes.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

MSJ1 — Wed, 25 Feb 2026 18:24:53 GMT

But do you agree that since Device Policy Set will use Entra ID user group as part of Device Policy Set , we may will fall into same for the bug ( CSCws30603 ) ISE unable to fetch user group membership if user belongs to more than 20 groups.

Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authenticatio

Greg Gibbs — Wed, 25 Feb 2026 21:45:03 GMT

Yes, it still uses Graph API calls so it would be subject to that bug