https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726680#M578448 <P>We are implementing Azure AD EAP-TLS authentication on ISE 3.2 using the following guide:&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html</A></P> <P>We have hit an issue where in the rest-id-store.log we are getting the following error (Insufficient privileges to complete the operation):</P> <P><EM>,799 ERROR [http-nio-9601-exec-5][[]] cisco.ise.ropc.utilities.RestUtility -::::- Error response in 'GET' request. Status - '403'. Error - '{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation</EM></P> <P>In the ISE 3.2 demonstration video, the same error occurs and the presentor is unable to get it working (Time 29.40) and does not provide any resolution:</P> <P><STRONG><A href="https://www.youtube.com/watch?v=857hIkxkEAU" target="_blank" rel="noopener">https://www.youtube.com/watch?v=857hIkxkEAU</A></STRONG></P> <P>Has anyone managed to get this working and solve the 403 permission error or does EAP-TLS on 3.2 not work?</P> Wed, 23 Nov 2022 15:21:45 GMT seankin 2022-11-23T15:21:45Z https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726680#M578448 <P>We are implementing Azure AD EAP-TLS authentication on ISE 3.2 using the following guide:&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html</A></P> <P>We have hit an issue where in the rest-id-store.log we are getting the following error (Insufficient privileges to complete the operation):</P> <P><EM>,799 ERROR [http-nio-9601-exec-5][[]] cisco.ise.ropc.utilities.RestUtility -::::- Error response in 'GET' request. Status - '403'. Error - '{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation</EM></P> <P>In the ISE 3.2 demonstration video, the same error occurs and the presentor is unable to get it working (Time 29.40) and does not provide any resolution:</P> <P><STRONG><A href="https://www.youtube.com/watch?v=857hIkxkEAU" target="_blank" rel="noopener">https://www.youtube.com/watch?v=857hIkxkEAU</A></STRONG></P> <P>Has anyone managed to get this working and solve the 403 permission error or does EAP-TLS on 3.2 not work?</P> Wed, 23 Nov 2022 15:21:45 GMT https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726680#M578448 seankin 2022-11-23T15:21:45Z https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726709#M578450 <P>Yes, I included the solution in the <STRONG>Show Notes</STRONG> of that YouTube video&nbsp; 8-)</P> <P><SPAN class="yt-core-attributed-string yt-core-attributed-string--white-space-pre-wrap"><span class="lia-unicode-emoji" title=":light_bulb:">💡</span>The permissions problem in the demo was 1 additional API Permission in Azure Active Directory was required to make it work. The 3 required permissions are <BR /></SPAN><SPAN class="yt-core-attributed-string yt-core-attributed-string--white-space-pre-wrap">- Group.Read.All<BR />- User.Read<BR />- User.Read.All&nbsp; ◁◁◁ This was missing!</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE 3.2 - Azure AD Permissions for EAP-TLS.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/168843iFB974B9A02B9987C/image-size/large?v=v2&amp;px=999" role="button" title="ISE 3.2 - Azure AD Permissions for EAP-TLS.png" alt="ISE 3.2 - Azure AD Permissions for EAP-TLS.png" /></span></P> Wed, 23 Nov 2022 16:06:12 GMT https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726709#M578450 thomas 2022-11-23T16:06:12Z https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726711#M578451 <P>Brilliant! Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 23 Nov 2022 16:07:59 GMT https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4726711#M578451 seankin 2022-11-23T16:07:59Z https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4795672#M580537 <P>Hi there. This is EAP-TLS with Azure AD users. Would this also work with Azure AD computer accounts as well?</P> Thu, 16 Mar 2023 14:30:10 GMT https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4795672#M580537 Jan Junker 2023-03-16T14:30:10Z https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4796016#M580557 <P>There is no such thing as an Azure AD 'Computer' account. See this document for more information.</P> <P><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635" target="_blank" rel="noopener">Cisco ISE with Microsoft Active Directory, Azure AD, and Intune</A>&nbsp;</P> Thu, 16 Mar 2023 21:04:43 GMT https://community.cisco.com/t5/network-access-control/ise-3-2-eap-tls-azure-ad-permission-error/m-p/4796016#M580557 Greg Gibbs 2023-03-16T21:04:43Z