https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298148#M596725 <P>Hello team,</P> <P>In ISE 3.2 (standalone node) have set up REST ID with Azure following all I found in this two documents</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.htmlù" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html</A></P> <P>All steps seems to work fine, and the "test connection" from REST ID config page works fine.</P> <P>Once I use the ExternalGroups as extenral identity source in a AUthorization Policy, however, I can see in the live logs the query for ExternalGroups</P> <P>&nbsp;</P> <TABLE class="content_table_steps" border="0" cellpadding="3"> <TBODY> <TR class="content_table_steps_highlight"> <TD>15048</TD> <TD>Queried PIP - XXXXXX_Azure_AD.ExternalGroups</TD> </TR> </TBODY> </TABLE> <P>yet it still can't match user to group.</P> <P>Is there something specific that I may be missing? The REST ID setup guide refers to 3.0, is there anything different in 3.2? I have REST rather than REST (ROPC) in the&nbsp;<SPAN>External Identity Sources setup page, but the contents are similar... I seems to be missing the 4.e configuration in ISE, "Username Suffix" I don't know if there's anything different in this version.</SPAN></P> <P>&nbsp;</P> <P><SPAN>can anyone please help in this regard? Thanks</SPAN></P> <P><SPAN>Fabio</SPAN></P> Tue, 10 Jun 2025 15:02:10 GMT fabioairoldi 2025-06-10T15:02:10Z https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298148#M596725 <P>Hello team,</P> <P>In ISE 3.2 (standalone node) have set up REST ID with Azure following all I found in this two documents</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.htmlù" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html</A></P> <P>All steps seems to work fine, and the "test connection" from REST ID config page works fine.</P> <P>Once I use the ExternalGroups as extenral identity source in a AUthorization Policy, however, I can see in the live logs the query for ExternalGroups</P> <P>&nbsp;</P> <TABLE class="content_table_steps" border="0" cellpadding="3"> <TBODY> <TR class="content_table_steps_highlight"> <TD>15048</TD> <TD>Queried PIP - XXXXXX_Azure_AD.ExternalGroups</TD> </TR> </TBODY> </TABLE> <P>yet it still can't match user to group.</P> <P>Is there something specific that I may be missing? The REST ID setup guide refers to 3.0, is there anything different in 3.2? I have REST rather than REST (ROPC) in the&nbsp;<SPAN>External Identity Sources setup page, but the contents are similar... I seems to be missing the 4.e configuration in ISE, "Username Suffix" I don't know if there's anything different in this version.</SPAN></P> <P>&nbsp;</P> <P><SPAN>can anyone please help in this regard? Thanks</SPAN></P> <P><SPAN>Fabio</SPAN></P> Tue, 10 Jun 2025 15:02:10 GMT https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298148#M596725 fabioairoldi 2025-06-10T15:02:10Z https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298276#M596735 <P>If you're using EAP-TLS and User Authorization against Entra ID, the documents you shared should have everything you need.</P> <P>For the EAP-TLS with REST ID, you do not need to enable ROPC on the App Registration. ROPC only applies to the EAP-TTLS(PAP)&nbsp; or RAVPN use cases.</P> <P>The Username Suffix is appended to the username by ISE before sending that to the Graph API for lookup when using the ROPC flow.</P> <P>When using the EAP-TLS flow with ISE 3.2+ the full UPN must be provided in the certificate (CN or SAN) and used by ISE for identity (as defined in the Certificate Authentication Profile). ISE can only perform the lookup against the Graph API using the UPN.</P> Wed, 11 Jun 2025 04:36:26 GMT https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298276#M596735 Greg Gibbs 2025-06-11T04:36:26Z https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298296#M596740 <P>That's actually it! I was checking against an attribute other than UPN, by changing the certificate structure and checking against UPN it now works, thanks!</P> Wed, 11 Jun 2025 06:44:10 GMT https://community.cisco.com/t5/network-access-control/externalgroups-in-rest-id-azure-ad-in-authorization-policy/m-p/5298296#M596740 fabioairoldi 2025-06-11T06:44:10Z