topic Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID in Network Access Control

CIsco ISE 802.1x EAP-TLS authentication with Entra ID

cuiL — Mon, 09 Jun 2025 16:02:49 GMT

Our customer exisitng environment all PC join to entra id and no any infra in on-premise

Now. they would like to implement new Wi-FI with kind of this solutions but it's look like very new for us and less experience

Therefore, may I asking in this community that anyone have experience to implement this solution on production.

Also, with this is any concern point or this solutions is good idea to go with it?

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Wed, 11 Jun 2025 03:22:23 GMT

ISE cannot currently perform any Device Authorization against Entra ID. The only option would to Authenticate based on a trusted certificate and authorize based on values in the certificate.

See https://cs.co/ise-entraid

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

paulwelchh — Wed, 11 Jun 2025 03:48:45 GMT

Thanks, Greg, that’s helpful. Just to clarify, if we're going with EAP TLS and relying only on certificate-based authentication and authorization, since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?

Also, has anyone tried integrating any third-party solutions to bridge Entra ID device context into ISE policies, or is that still mostly a manual workaround?

Appreciate any insights from folks who've deployed something similar.

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Wed, 11 Jun 2025 05:11:11 GMT

"since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?"

Yes. If you need to provide differentiated levels of authorization between devices, they would need to have different certificate values that ISE could match on.

An enhancement for Device Authorization against Entra ID is coming in ISE 3.5 (currently in public beta), so more details will be provided on that enhancement when it is available.

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MSJ1 — Tue, 07 Oct 2025 12:00:57 GMT

Hello @Greg Gibbs

Now that version 3.5 came available for public and partners started looking into ISE 802.1x for Entra ID Joined machines.

My question refer to this statement mentioned at release notes 3.5

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html

"During authentication, Cisco ISE evaluates the certificate presented by the user or device, without directly accessing Microsoft Entra ID. "

Which Certificate user / device will present ? Since Laptops are Entra ID Joined , they are not domain joined since PKI cannot generate user or Device Cert for a non domain joined machine. Or I am missing some point here. ?

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Tue, 07 Oct 2025 23:35:05 GMT

Windows PCs still have a distinct User and Computer state and separate certificate stores for each. If the supplicant is configured for 'User or Computer Authentication' it will present the certificate relevant to the state. This is described in my blog referenced earlier.

I have also updated that blog with the Device Authorization use case available from ISE 3.5 - https://cs.co/ise-entraid#DeviceQuery

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MaErre21325 — Wed, 08 Oct 2025 13:00:35 GMT

Hi @Greg Gibbs

i was following the link you posted, already upgraded to 3.5, but in the authorization policy i'm unable to see the Device·ExternalGroups.
This is the screenshot of the available choices:

How can i have the device attribute from the list?

Thank you

Regards

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Wed, 08 Oct 2025 21:12:45 GMT

Have you enabled and configured the Device Query settings as per the Admin Guide?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MaErre21325 — Fri, 10 Oct 2025 15:18:51 GMT

Yes, i've read later your guide, now it works.
Thanks as always for your advices!

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MSJ1 — Tue, 28 Oct 2025 21:04:06 GMT

@Greg Gibbs

Refer to following URL and specific to license - what type of license we will need if we want to use Entra ID Device Certificate based authentication ?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_eyb_rz1_gnb

""In the Device Attributes tab, click Add.

These attributes are displayed based on the deployed licenses. Check the check boxes next to the device attributes for which you want to fetch values from the Entra ID.""

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Tue, 28 Oct 2025 23:20:33 GMT

This is documented in the licensing guide - https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html#35ISELicenserequirementsforDisplayingEntraIDDeviceAttributesintheGUI

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MSJ1 — Wed, 29 Oct 2025 22:26:38 GMT

@Greg Gibbs During REST ID Store Integration with ISE is there a way we can use Cert as Authentication rather than using "Client Secret" ? From ISE External Identity Sources Section for REST I do not see Cert as an Option rather than "Client Secret" field.

Also for REST ID Integration with Azure from ISE what are the Firewall Rule Requirement's ?

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Wed, 29 Oct 2025 22:33:01 GMT

No. The documented method using secrets is the only supported method for integration.

The required URLs are documented in the Installation Guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_7.html#required-internet-urls

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MSJ1 — Wed, 29 Oct 2025 23:15:16 GMT

@Greg Gibbs Do you see any security risk since it is Client Secret ? Can you share any insight if in upcoming release it will bring the option for cert based binding rather than Client Secret ?

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Thu, 30 Oct 2025 21:44:58 GMT

The secret is used to request a bearer token from the Graph API and that bearer token is used for subsequent API calls until it expires. This is a common behaviour for many API operations. You can research the pros and cons, but this is currently what's supported.

Roadmap is not something discussed on public forums like this.

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

hs08 — Fri, 31 Oct 2025 07:19:39 GMT

When we use certificate based authentication, can we compare the Subject Name in the certificate to the Entra ID Group? I mean even the device already have valid certificate but the user not in member of Entra ID the user will be denied.

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

MSJ1 — Wed, 05 Nov 2025 23:25:31 GMT

Hi @Greg Gibbs

Is there a manual or reference that shows what are the options I need to enable in External Identity Store - REST ID if I want to test EAP-TLS authentication for Entra ID Devices not users ? trying to test with Device Name Condition.

Also In REST External Identity Store Groups tab - If I am looking for Device Group it should show up here once created in Entra ID ? Simple question is if Device group and user group will show up here in Groups tab ?

Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

Greg Gibbs — Thu, 06 Nov 2025 21:43:48 GMT

The steps are in the Admin Guide which is also linked in my post - https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb