topic Re: ISE 3.2 and AzureAD - groups retrieve in Network Access Control

ISE 3.2 and AzureAD - groups retrieve

pio.gra — Fri, 16 Dec 2022 13:04:27 GMT

Hi,

I'm trying to connect ISE 3.2 to AzureAD, the connection itself worked fine (following the guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html) but now I'm not able to read any AD groups. After clicking on "Retrieve groups" it tries for few minutes and then it says "No Data Found".

The other question - is it possible to read extended attributes from the AzureAD accounts?

Re: ISE 3.2 and AzureAD - groups retrieve

thomas — Fri, 16 Dec 2022 17:07:21 GMT

These are the required permissions that I have used successfully with AzureAD for both scenarios :
- EAP-TTLS+PAP username+password authentication+authorization using in ISE 3.0+
- EAP-TLS (or TEAP) user certificate authentication with AzureAD group authorization in ISE 3.2+

Re: ISE 3.2 and AzureAD - groups retrieve

Rodrigo Diaz — Fri, 16 Dec 2022 19:23:45 GMT

@pio.gra try to check out the ropc .log, this can provide you a view of what could be missing/failing within your configuration , this can be seen in the PAN node via CLI with the command "show logging application ropc/ropc.log (tail) ", what I would recommend here is to tail the process in real time while attempting to retrieve the groups and also taking a pcap to ISE so you can get further insight on what's happening .

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Mon, 19 Dec 2022 09:46:14 GMT

@thomas I have it configured exactly the same way but no success unfortunately.

@Rodrigo Diaz I'm not able to read the logs for some reason, I have tried with the command you gave and get no output. Via GUI I can see the following:

but I'm not able to download any of the files. Or maybe I'm doing something wrong?

Re: ISE 3.2 and AzureAD - groups retrieve

Rodrigo Diaz — Mon, 19 Dec 2022 14:27:07 GMT

@pio.gra please share what you are getting in the CLI , you can attempt the command "show logging application | i ropc ", for further details of what you might expect to see refer to the section "working with logs" from the following link https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html in case you don't get outputs like those or even errors , it may indicate some configurations within your setup are missing .

Let me know if that helped

Re: ISE 3.2 and AzureAD - groups retrieve

thomas — Mon, 19 Dec 2022 15:56:38 GMT

I have experienced the same bug in ISE 3.2 trying to download the log file.

Verify that you have entered the correct Username Suffix for your Azure AD domain, beginning with the required '@' symbol. For example, my Azure AD Username Suffix in ISE is @trust0.onmicrosoft.com

You should be able to see this on the Overview page in Azure AD:

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Tue, 20 Dec 2022 10:20:28 GMT

@Rodrigo Diaz - it's a very good catch, I was trying with the wrong path:

admin#show logging application | include ropc
48077 Nov 17 2022 16:18:22 ropc/rest-id-store.log
438141 Nov 14 2022 13:10:56 ropc/rest-id-store.log.2022-11-14-1

so when I tried with: admin#show logging application ropc/rest-id-store.log

it showed the output and the issue I see at the first sight is: The user account {EmailHidden} does not exist in the {hidden} directory. To sign into this application, the account must be added to the directory.

Is it an AD thing or should I configure something more in ISE?

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Tue, 20 Dec 2022 10:19:51 GMT

@thomas - I have checked that and it is configured properly, the issue is that ISE is not able to communicate with the AD, see the above post.

Re: ISE 3.2 and AzureAD - groups retrieve

thomas — Tue, 20 Dec 2022 17:09:49 GMT

Do you know approximately how many Azure AD groups your domain has? I believe the REST ID Store was only tested with <=5000 groups in Azure AD so if you have significantly more, it may be timing out without downloading all of the groups

Re: ISE 3.2 and AzureAD - groups retrieve

Rodrigo Diaz — Tue, 20 Dec 2022 18:52:10 GMT

@pio.gra I have checked your log , I would double check up the tenant and the AD that you are using in the integration , it also likely that you might be hitting the following bug CSCwd78306 as per the version in which you are which is 3.2 , in that scenario if it's possible for you test that out in another version of ISE while this bug is solved.

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Tue, 20 Dec 2022 20:20:49 GMT

@thomas - not sure about the groups, but I believe it will be less than 5000, will check it

@Rodrigo Diaz - that bug looks interesting and it's most likely it 😞 Is there any other way to integrate ISE and AzureAD? We have more and more devices migrated and it's now crucial for me to include those in all the policies... I'm currently using ISE 2.6 in the production, wanted to implement 3.2 because of the native cloud support (I need to have some nodes in the Azure cloud), and the AzureAD integration of course.

Re: ISE 3.2 and AzureAD - groups retrieve

Rodrigo Diaz — Tue, 20 Dec 2022 23:12:09 GMT

Unfortunately this is the only way to achieve the integration with the AzureAD.

It would appear that the bug is going to be solved in patch 1 for this version that has a tentative date to be released in next Month , in any case what I would advise you is to either wait for the patch 1 to be available and test out the integration again or if it's urgent to get this deployment working in 3.2 to open a TAC case to get a hotfix patch.

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Wed, 21 Dec 2022 09:13:33 GMT

@Rodrigo Diaz - thanks for all the information, do you know if 3.1 is also affected? Maybe I could install the older version just to be able to work on testing the policies etc... before the bug is fixed.

Re: ISE 3.2 and AzureAD - groups retrieve

Rodrigo Diaz — Wed, 21 Dec 2022 14:09:10 GMT

Yes you can try out another 3.X version to review if you are getting the same result , as per the bug conditions it has not been documented other versions affected.

Re: ISE 3.2 and AzureAD - groups retrieve

pio.gra — Mon, 06 Mar 2023 13:29:52 GMT

If anyone has the same issue - it is now fixed in Patch 1.