topic Re: ISE Condition: Device in AZURE Group in Network Access Control

ISE Condition: Device in AZURE Group

fabioairoldi — Fri, 31 May 2024 07:47:58 GMT

Hello all,

I am relatively new to Cisco ISE and all the possible conditions; I would like to know how to create the following condition:

check if a device is member of an Azure AD group.

The device will be Azure only (so no registration on-prem).

I am running ISE version 3.2.0.542 patch 5

The Azure AD tenant has already been configured as REST External Identity Source.

thanks for the help

Re: ISE Condition: Device in AZURE Group

Arne Bier — Sun, 02 Jun 2024 20:28:03 GMT

I don't have access to Azure, but if you have the External Identity Source configured, then it will appear in the Policy Set, when you create a new Authorization Rule.

In my case I have an on-prem AD - but ISE will list your Azure Identity Source in the drop-downlist

Re: ISE Condition: Device in AZURE Group

Greg Gibbs — Sun, 02 Jun 2024 22:04:53 GMT

No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

Re: ISE Condition: Device in AZURE Group

Arne Bier — Sun, 02 Jun 2024 23:54:31 GMT

thanks @Greg Gibbs - it shows how little (zero) engagement I have with this stuff in my day to day.

Re: ISE Condition: Device in AZURE Group

fabioairoldi — Mon, 03 Jun 2024 13:10:05 GMT

Thanks @Greg Gibbs

am I to understand that it's also not possible to check if a device is enrolled in Entra ID? So no group check, just authenticate based on whether or not it's present.

Currently I am authenticating based on a simple check on the Certificate - Issuer CN.

May I ask what would a better way to make this rule stricter WITHOUT using any USER-based conditions?

Thanks

Re: ISE Condition: Device in AZURE Group

Greg Gibbs — Mon, 03 Jun 2024 22:04:10 GMT

Correct. ISE currently does not have the ability to check anything related to the registration/join status of a Device in Entra ID as part of the Authentication or Authorization process. The Device is only authenticated based on a valid/trusted certificate presented to ISE.

Using the Intune MDM registration/compliance status of the device as a condition for authorization is currently the best option for additional security control.

Re: ISE Condition: Device in AZURE Group

icarimo — Mon, 05 Aug 2024 15:52:45 GMT

Hello,

Could you please help me to clarify this doubt:

To authenticate my wireless users using traditional AD, I have a policy where I am validating if the computer name (CN) on the certificate belongs to Computer domain group, I am not specifying a specific AD group.

Which EntraID attribute or membership group can I validate to authenticate my wireless users that are in EntraID? I don't want to specify a specific group (e.g., Sales, Marketing).

Note: I am not using MDM,
If am not wrong, from what I understood, there is not possible to check if the device is EntraID registered.
So how can I create the authotization profile, with which attributte should I compare?

Re: ISE Condition: Device in AZURE Group

Greg Gibbs — Mon, 05 Aug 2024 22:30:26 GMT

The question is a bit confusing as you're referencing authenticating Users based on a Computer name, which is not possible.

If you want to authorize your Users against Entra ID as per the User Authorization with Entra ID and EAP-TLS use case, those users would need to be part of a Group in Entra ID and that Group would need to be added in the REST ID Store configure in ISE.

Re: ISE Condition: Device in AZURE Group

icarimo — Tue, 06 Aug 2024 07:29:08 GMT

Hello @Greg Gibbs

Thank you for the quick reply.
Sorry the confusion, let me rephrase.

- I want to authenticate my wireless devices using EAP-TLS.
- The device a register in EntraID.
- I am using Essentials licenses I don´t have Intune

In the authentication rule, I will check if the device certificate was issued by the correct CA.
Then my doubt is in the authotization rule...
How can I create the authotization rule to check the device certificate CN and validate if it exist in EntraID?
--- In other words, I want to see the if CN exist in the list of EntraID devices, if yes. I will permit access.

I saw this example, however I don´t want to specify the group, just to validate if belongs to any EntraID group, permit access

Re: ISE Condition: Device in AZURE Group

Greg Gibbs — Tue, 06 Aug 2024 22:13:08 GMT

This has been stated repeatedly and I do not know how to state it more simply... ISE cannot current check anything about a Device against Entra ID. This is true of any kind of Device and join type (Entra Joined, Entra Hybrid Joined, Entra Registered) in Entra ID.

If the Device is enrolled with a User certificate (with the UPN) and configured for User authentication, ISE can use Entra ID Group membership and/or the other 44 attributes specified in the blog post shared earlier as conditions for authorization of the User session.

Re: ISE Condition: Device in AZURE Group

shujath-syed — Thu, 20 Feb 2025 15:33:39 GMT

on your point above for wireless aaa 802.1x case with ISE essentials - The Device is only authenticated based on a valid/trusted certificate presented to ISE.

If I use issuer CN, how will ISE identify its a valid/trusted certificate. How will the revocation/expiry can be managed?

how will ISE know its not revoked or expired certificate?

Re: ISE Condition: Device in AZURE Group

fabioairoldi — Thu, 20 Feb 2025 15:52:51 GMT

You can set a series of Trusted Root in ISE, and for each define a CRL lookup address and timeframe