topic Re: ISE Join with Azure AD Directory Services in Network Access Control

ISE Join with Azure AD Directory Services

packet2020 — Fri, 24 Feb 2023 20:30:14 GMT

Hi All,

I am currently looking at options to integrate ISE with Azure AD. From my basic understanding, Azure AD Domain Services supports traditional join operations to support legacy services. If we were to migrate to Azure AD, can ISE join Azure AD Directory services in the same way that it would with an on-prem AD server? Is this supported?

Re: ISE Join with Azure AD Directory Services

dalbanil — Fri, 24 Feb 2023 20:58:46 GMT

Hello packet2020, it is possible, here you have an excellent document that guides you on how to do it, it also contains examples of the policies on ISE that you could use for authorization, let me know if this helped.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.pdf

Re: ISE Join with Azure AD Directory Services

packet2020 — Fri, 24 Feb 2023 21:06:04 GMT

Hi @dalbanil

Thanks for the reply, however this is not quite what I am asking. The above document is to integrate ISE with Azure AD using REST with ROPC. What I want to know is if can we join ISE to Azure AD Domain Services in the same way that we do today with traditional on-prem AD (configured under External Identity Sources -> Active Directory)? I'm aware that Azure AD DS has some limitations, however do these impact ISE join?

Re: ISE Join with Azure AD Directory Services

ahollifield — Fri, 24 Feb 2023 21:23:59 GMT

https://youtu.be/iAKyIHFqbgE

Re: ISE Join with Azure AD Directory Services

ahollifield — Fri, 24 Feb 2023 21:25:37 GMT

Great question. Is this the same thing as a "hybrid" Azure AD environment or a totally separate thing? Is there still an on-premise AD footprint?

Re: ISE Join with Azure AD Directory Services

packet2020 — Fri, 24 Feb 2023 21:38:55 GMT

This would be in the absence of on-prem AD, so cloud only and no hybrid. So we would have Azure AD with an Azure AD Domain Services managed domain.

Windows servers can join the Azure AD DS managed domain so I would be interested to know if ISE can as well.

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Tue, 28 Feb 2023 03:09:47 GMT

From what I can tell based on the documentation and installing Azure AD DS in my lab, AADDS is simply a SaaS offering by Azure for traditional Active Directory. Rather than have an IaaS deployment in the cloud where you manage the OS and deploy your own traditional Active Directory services, with AADDS the OS is managed by MS and you just have the limited control over the traditional AD services.

I was successfully able to perform the following actions in ISE using my AADDS managed domain. The functionality worked the same as with a normal traditional AD deployment on-prem or in the cloud (IaaS).

Create an AD join point and join my ISE node to the domain
Add cloud-only AD groups defined in Azure AD
Perform a Test User lookup for a cloud-only user account in Azure AD
Configure Admin Access for the ISE GUI to use my AD join point, map an Azure AD group to the Super User RBAC role, and login to the ISE GUI using a cloud-only AD user account (member of the group).

Re: ISE Join with Azure AD Directory Services

shujath-syed — Mon, 10 Feb 2025 16:10:05 GMT

Is this still valid? I am trying to add entra id as a join point in Cisco ISE and I get the following error. I am trying to add this under ext identity - > active directory. There is no domain controller for entra id and I am getting this error that it can't find domain name. Do I need to add entra in a different way?

Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049

Detailed Log:

Error Description :
Failed to find domain controller in domain xyz.COM : domain does not exists in DNS

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Mon, 10 Feb 2025 21:31:47 GMT

Are you referring to Entra Domain Services (which is what the original discussion was about) or Entra ID?

If you're referring to Entra ID, there is no 'domain' to join. Entra ID is not Active Directory. For supported use cases with ISE related to Entra ID, see Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

Re: ISE Join with Azure AD Directory Services

shujath-syed — Tue, 11 Feb 2025 02:51:18 GMT

I am referring to entra id join. I am using ISE 3.3 in Azure for NAC. Do I need to join them to entra id or I can just do it without? I am using 802.1x EAP-TLS machine cert for auth using cert connector. So do I need to join entra id in ISE or I can do it without. How will I integrate Entra ID with Cisco ISE. If I don't integrate how with auth happen?

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Wed, 12 Feb 2025 00:19:45 GMT

All of the currently supported options for ISE Authentication/Authorization using Entra ID are described in the document I shared in the prior thread.

Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

Re: ISE Join with Azure AD Directory Services

anu-fatokun — Tue, 04 Mar 2025 04:48:22 GMT

Hi Greg,

How are you able to do point #2. I am using On-prem AD joined to Entra ID. My ISE is joined to the on-prem AD, and I can retrieve cloud-only AD group defined in Azure AD to my on-prem AD join point. Right now, I am able to join the Integrate the Entra ID through the REST ROPC, but I am not able to retrieve groups. I suspect because I logged into the ISE GUI through a local admin and its using that account to try to retrieve the group which is not in Azure. I believe your solution will solve it but I'm unclear how to retrieve the cloud-only AD group so I can use the user in that group to login into ISE. Please kindly explain how I can achieve this....stuck with this issue for days. thanks

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Tue, 04 Mar 2025 23:34:38 GMT

I'm not sure I understand your question. The Entra ID Connector only syncs traditional Active Directory groups into Entra ID. There is no sync of Users/Groups created directly in Entra ID back into Active Directory.

Re: ISE Join with Azure AD Directory Services

TCPIP2024 — Wed, 05 Mar 2025 09:53:27 GMT

Hello,

I have set up an ISE 3.4 and successfully integrated Entra ID via ROPC REST. However, when testing Wi-Fi authentication with EAP-TTLS, it fails.

In the RADIUS logs, I can see that the connection to my REST ID is successful, but then the authentication fails with the following resolution message:

"Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page (Administration > System > Certificates > Local Certificates). Also ensure that the certificate authority that signed this server certificate is properly installed in the client's supplicant. Check the previous steps in the log for this EAP-TTLS conversation for a message indicating why the authentication failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information."

I have checked my certificates, and they are all active. However, I can't find where the local certificates are stored in this version 3.4.

Notably, when I set up the same configuration on ISE 3.0 (patch 8), I had no certificate-related issues.

Does anyone have an idea of what might be causing this issue?

Thanks in advance for your help!

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Wed, 05 Mar 2025 22:21:20 GMT

This is off the topic of the original post. In the future, please start a new conversation for new questions and keep one topic per post.

The path in the error is a cosmetic issue. This should refer to the Administration > System > Certificates > Certificate Management > System Certificates page.

This error typically indicates that the supplicant does not trust the EAP certificate presented by the server (ISE). Confirm that the Windows endpoint has the Root and Intermediate certificates that signed the ISE EAP cert in the relevant trust stores and that the supplicant is configured to trust them.

If you are still having issues, please start a new conversation and post screenshots of your certificate store, supplicant configuration, and ISE EAP cert chain or open a TAC case to investigate further.

Re: ISE Join with Azure AD Directory Services

JustTakeTheFirstStep — Wed, 25 Feb 2026 07:12:17 GMT

@Greg Gibbs
I'm trying to integrate ISE with ENTRA ID.
If I use AADDS(Entra Domain Service), will the client be able to use MSCHAPv2?

Re: ISE Join with Azure AD Directory Services

ahollifield — Wed, 25 Feb 2026 11:06:12 GMT

No. Also don’t use MS-Chapv2 in 2026

Re: ISE Join with Azure AD Directory Services

Greg Gibbs — Wed, 25 Feb 2026 21:32:25 GMT

Entra DS is essentially AD in the cloud, so theoretically ISE *should* be able to integrate with it the same as AD. If it does, then you *should* be able to use PEAP(MSCHAPv2) the same way you can with AD.

I have not had the ability to test integration with Entra DS due to subscription/licensing restrictions, so this is all just theoretical.

However, as @ahollifield stated previously, MSCHAPv2 should be avoided. It uses broken encryption and MS is actively working to deprecate it in favour of more secure methods like EAP-TLS.