https://community.cisco.com/t5/network-access-control/cisco-ise-azure-ad-integration-ropc/m-p/5165105#M591358 <DIV class="cuf-body cuf-questionTitle forceChatterFeedBodyQuestionWithoutAnswer" data-aura-rendered-by="94:1186;a" data-aura-class="forceChatterFeedBodyQuestionWithoutAnswer"><SPAN>Has anyone come across similar case as below?</SPAN></DIV> <DIV class="cuf-body cuf-questionBody forceChatterFeedBodyQuestionWithoutAnswer" data-aura-rendered-by="98:1186;a" data-aura-class="forceChatterFeedBodyQuestionWithoutAnswer"> <DIV class="cuf-feedBodyText forceChatterMessageSegments forceChatterFeedBodyText" data-aura-rendered-by="102:1186;a" data-aura-class="forceChatterMessageSegments forceChatterFeedBodyText"> <DIV class="feedBodyInner Desktop"> <P><SPAN class="uiOutputText">I have ISE 3.2 (patch5) instance with AAD integration and configured policies for wireless Dot1X. I have<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">only configured user/group authentication and authorizatio</SPAN></STRONG><SPAN class="uiOutputText"><STRONG>n</STRONG> and there are<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">no device-based policies.</SPAN></STRONG></P> <P><SPAN class="uiOutputText">Currently all apple devices cannot authenticate because they are trying to authenticate using protocols that Azure does not support such as EAP-FAST. As per my knowledge, Azure-ISE integration (ROPC) only supporting EAP-TTLS with PAP. (no other inner methods). I also tried disabling protocols to force clients to use EAT-TTLS with PAP and also with ISE 3.3. But it didn't work.</SPAN></P> <P><SPAN class="uiOutputText">I also found a workaround to use Intune to configure client devices. But for BYOD requirement needs agentless device authorization based on AAD group.&nbsp;&nbsp;</SPAN></P> <P><SPAN class="uiOutputText">Any suggestions? or workaround?&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> </DIV> </DIV> Fri, 23 Aug 2024 15:32:32 GMT Manuka Rajapaksha 2024-08-23T15:32:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-azure-ad-integration-ropc/m-p/5165105#M591358 <DIV class="cuf-body cuf-questionTitle forceChatterFeedBodyQuestionWithoutAnswer" data-aura-rendered-by="94:1186;a" data-aura-class="forceChatterFeedBodyQuestionWithoutAnswer"><SPAN>Has anyone come across similar case as below?</SPAN></DIV> <DIV class="cuf-body cuf-questionBody forceChatterFeedBodyQuestionWithoutAnswer" data-aura-rendered-by="98:1186;a" data-aura-class="forceChatterFeedBodyQuestionWithoutAnswer"> <DIV class="cuf-feedBodyText forceChatterMessageSegments forceChatterFeedBodyText" data-aura-rendered-by="102:1186;a" data-aura-class="forceChatterMessageSegments forceChatterFeedBodyText"> <DIV class="feedBodyInner Desktop"> <P><SPAN class="uiOutputText">I have ISE 3.2 (patch5) instance with AAD integration and configured policies for wireless Dot1X. I have<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">only configured user/group authentication and authorizatio</SPAN></STRONG><SPAN class="uiOutputText"><STRONG>n</STRONG> and there are<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">no device-based policies.</SPAN></STRONG></P> <P><SPAN class="uiOutputText">Currently all apple devices cannot authenticate because they are trying to authenticate using protocols that Azure does not support such as EAP-FAST. As per my knowledge, Azure-ISE integration (ROPC) only supporting EAP-TTLS with PAP. (no other inner methods). I also tried disabling protocols to force clients to use EAT-TTLS with PAP and also with ISE 3.3. But it didn't work.</SPAN></P> <P><SPAN class="uiOutputText">I also found a workaround to use Intune to configure client devices. But for BYOD requirement needs agentless device authorization based on AAD group.&nbsp;&nbsp;</SPAN></P> <P><SPAN class="uiOutputText">Any suggestions? or workaround?&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> </DIV> </DIV> Fri, 23 Aug 2024 15:32:32 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-azure-ad-integration-ropc/m-p/5165105#M591358 Manuka Rajapaksha 2024-08-23T15:32:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-azure-ad-integration-ropc/m-p/5165723#M591378 <P>AFAIK, there is no way to configure Mac OS to use EAP-TTLS[PAP] except creating and installing a Wifi Profile. This can be done manually using something like <A href="https://apps.apple.com/us/app/apple-configurator/id1037126344?mt=12" target="_blank" rel="noopener">Apple Configurator</A> (you would have to provide the XML to the users to install) or using an MDM like Intune or Jamf Pro.</P> <P>Another option would be using a portal-based flow with SAML/Oauth2 authentication against Entra ID.<BR /><A href="https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-azure-ad/ta-p/4400675" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-azure-ad/ta-p/4400675</A></P> <P>&nbsp;</P> Sun, 25 Aug 2024 22:06:05 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-azure-ad-integration-ropc/m-p/5165723#M591378 Greg Gibbs 2024-08-25T22:06:05Z