topic Re: ISE Integration with Entra-joined Devices/Users in Network Access Control

ISE Integration with Entra-joined Devices/Users

GregoryLeggett — Fri, 05 Apr 2024 20:47:59 GMT

My organization is working on migration path to Win11 (Entra joined), with hybrid user accounts. According to the below posting, it was mentioned that TEAP (EAP-TLS) is not supported for Computer authentication or EAP-Chaining.

I have two questions about this;

Is this a limitation of ISE or with Windows11 being Entra joined? If ISE, could you please explain why EAP-Chaining and computer authentication are not supported?
We are currently using TEAP to solve the "chick and egg" problem outlined in the below posting. If TEAP cannot be used in an Entra joined environment, then what options are available to ensure that a user logging into a computer for the first time is able to build a user profile with certificate issuance, for user authentication?

@Greg Gibbs

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Mon, 08 Apr 2024 00:25:55 GMT

Authorization of an Entra Joined Device is not currently possible in ISE, and neither is EAP Chaining an authenticated User session and Computer session. This is specifically stated in the ISE 3.2 Release Notes

With Windows 11, most organisations are moving from the legacy on-corporate-network PC staging/build process that is controlled by SCCM and uses the PXE boot process to a Windows Autopilot process. For Autopilot, the user would just need a bare internet connection to complete the build, so this could be potentially be accomplished by connecting to a Guest BYOD portal or hotspot of some kind. Part of the AutoPilot process would be enrolment with Intune which would also enrol the Device/User certificates, after which point the user could connect to the secure Corporate network.

Re: ISE Integration with Entra-joined Devices/Users

MaErre21325 — Mon, 02 Sep 2024 13:46:33 GMT

Hi @Greg Gibbs,

i've been asked to migrate our ise deployment from traditional ad to entra id.
i read the following document: "Configure ISE 3.0 REST ID with Azure Active Directory" at this link:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

but it is using eap-ttls, i'm wondering if i can still use eap-tls as in my actual working setup...
furthermore, as i understand, rest id is the only method to integrate cisco ise with entra id.

then i found this guide "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory"
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html#toc-hId--1070241705

and is using eap-tls, so i'm a little bit confused about what to do....

Am i able to integrate ise and entra id but using eap-tls instead of eap-ttls in my authorization rules?

thank you

bye

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Mon, 02 Sep 2024 22:24:48 GMT

Yes, as stated in the "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory" you referenced, you can use the REST ID function in ISE version 3.2 and higher to authorize a User against Entra ID. The Entra ID App Registration configuration would be the same as shown in the "Configure ISE 3.0 REST ID with Azure Active Directory" guide, except you would not need to enable the ROPC option shown in Step/Figure 9 of that document.

You might also see this blog for current options related to ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

Re: ISE Integration with Entra-joined Devices/Users

MaErre21325 — Tue, 03 Sep 2024 10:15:24 GMT

Hi,
the more i read the document the more i get confused.
These are my actual ruIes:

in order to migrate them i should reference to "Authentication/Authorization of an Entra Joined Device using EAP-TLS" guide (we do device authentication by checking if the certificate is released by our CA and the for the authorization we check if the device is matching the AD groups).
For the authorizaton rule i only need to add the policy value as per the following screenshot:

In this case i don't need to configure the REST ID function, am i correct? In this way Ise should check only if this value matches the value i want.

Thank you

Bye

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Tue, 03 Sep 2024 22:18:51 GMT

There is currently no comparable authorization of a Device group/attribute against Entra ID as your current use case with AD. If all you are planning to do is Authenticate and Authorize a Device based simply on values in the certificate it presents to ISE for EAP-TLS and trust of that certificate chain, then you would not need any integration with Entra ID.

Re: ISE Integration with Entra-joined Devices/Users

MaErre21325 — Wed, 04 Sep 2024 07:34:10 GMT

I would like to migrate the rules as similar as possible.
Given the limitations of Entra-id it seems to me that the only more similar way is to check certain values within the certificate, but those values have to be created first on Entra-id, so yes, there is no direct integration with Entra-id, but, however, those parameters on the certificates have to be congruent between Ise and Entra-id

Re: ISE Integration with Entra-joined Devices/Users

SamW1 — Wed, 23 Oct 2024 11:07:20 GMT

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-1884295217 This seems to show it is now possible after fixing the bug CSCwd34467 ?

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Wed, 23 Oct 2024 21:12:18 GMT

Yes, as stated in that document it is possible to use TEAP(EAP-TLS) with the User authorization against Entra ID. It is still currently not possible to perform authorization of a Device against Entra ID (also stated in that document).

Re: ISE Integration with Entra-joined Devices/Users

packet2020 — Thu, 24 Oct 2024 15:47:17 GMT

Hi @Greg Gibbs - Is device authorisation going to be supported with ISE, so the ability to lookup the basic device object in Entra during EAP-TLS/TEAP-TLS auth using the device's GUID to check that a) its a present/valid object and b) to return any device attributes to allow ISE to select an appropiate result, or is this purley a limitation in Entra that is not going to be changed any time soon?

Re: ISE Integration with Entra-joined Devices/Users

SamW1 — Thu, 24 Oct 2024 15:58:59 GMT

Just checked with a TME:

I got this response today from a Cisco SE for ISE....

Device authorization in Entra ID is planned for 3.4 Patch 2 (but could slip, all normal patch caveats apply)

Re: ISE Integration with Entra-joined Devices/Users

RamsesDE — Thu, 24 Oct 2024 16:12:40 GMT

Hi all,

I read in a "what's new in ISE 3.4 ..." series, that Machine authorization, in Entra ID, will be supported in 3.4 patch 2 (which is planned for Q1/2025).

Can't find back the link for source though.

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Thu, 24 Oct 2024 22:19:31 GMT

In general, this is something the developers are working on for an enhancement but implementing it has proven much more difficult than originally expected due to the difficulty of identifying a computer versus user session purely by the certificate presented as certificate templates vary from customer to customer.

While the current target may be for 3.4 patch 2, these dates should not expected as development is still in progress and extensive testing will likely need to be done to ensure the changes do not affect other functions.

Re: ISE Integration with Entra-joined Devices/Users

KelvinT — Fri, 14 Feb 2025 16:21:17 GMT

Hello and happy Friday!

Any update on TEAP-TLS Chaining with Entra-ID? I read ISE 3.4 patch 2?

Re: ISE Integration with Entra-joined Devices/Users

Greg Gibbs — Sun, 16 Feb 2025 20:57:35 GMT

The feature for Device Authorization against Entra ID is no longer expected to be available until the release of ISE 3.5. No ETA can be provided, but you're likely looking at around June-July timeframe. It will likely be back-ported to a patch in 3.4 that will release after the FCS of 3.5.

Re: ISE Integration with Entra-joined Devices/Users

KelvinT — Mon, 17 Feb 2025 18:40:28 GMT

Thanks for the info Greg.

Re: ISE Integration with Entra-joined Devices/Users

hasitha siriwardhana — Fri, 14 Mar 2025 13:33:02 GMT

Hi ,

I am bit confused... if TEAP(EAP-TLS) and EAP-FAST(EAP-TLS) with EAP Chaining are supported for this Entra AD flow from ISE 3.2 patch 5 and ISE 3.3 patch 1 due to the fix implemented by bugID CSCwd34467

Then what is the use case of Machine authentication function going to be release on ISE 3.5. Without ISE 3.5 can we use this ?

Re: ISE Integration with Entra-joined Devices/Users

aaggarwal12 — Tue, 17 Jun 2025 16:05:39 GMT

Hi,

I have this problem where i need to do the user lookup for group membership in Entra ID for authorization rule in ISE using Rest ID instead of ROPC. I do not want to enable ROPC in Azure for application i setup for ISE. However ISE is not able to get the user group membership and failing the authorization. @Greg Gibbs Can you help me what could be the issue here in ISE where ISE is not able to fetch User group membership from Entra ID. I am using ISE 3.2 Patch 7.

Re: ISE Integration with Entra-joined Devices/Users

Kenny Thompson — Wed, 03 Sep 2025 06:40:42 GMT

Hi Greg,

Has this feature for EAP chaining (Device and User Authentication) now been added to ICE 3.5. Can you share a link to relevant documentation that shows support with Entra ID.

Re: ISE Integration with Entra-joined Devices/Users

JPavonM — Wed, 03 Sep 2025 10:45:00 GMT

I have found the Release Notes for 3.5 even when they are not referenced in Cisco URL:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-identity-services-engine-release-notes-35.html

See this section:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb