topic Re: Cisco ISE 3.5 Entra ID Authorization Problem in Network Access Control

Cisco ISE 3.5 Entra ID Authorization Problem

andrianusfranky — Thu, 06 Nov 2025 09:52:26 GMT

I have a PoC in my customer for Cisco ISE integration with Entra ID and currently I test it first on my lab.
My customer only has Entra ID for the IDP and no on-prem AD.
I use EAP-TLS and using ISE Certificate Provisioning Portal to generate endpoint cert.
From the live log, I see that Authentication Result have passed but it failed due to Rejected per authorization profile.
What step do I miss here?
Thank you

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Aref Alsouqi — Thu, 06 Nov 2025 10:59:42 GMT

It's interesting to see that on the live log it says authentication failed when the authentication has actually passed. Have you tried to remove the authentication status condition from the authorization rule and see if that makes any difference? also, please check this link which has bunch of helpful details:

Cisco ISE with Microsoft Active Directory, Entra ID, and Intune - Cisco Community

Re: Cisco ISE 3.5 Entra ID Authorization Problem

andrianusfranky — Fri, 07 Nov 2025 05:46:41 GMT

Hi Aref,
Thanks for your reply. Yes, I've tried delete authentication status condition from authorization rule, and it still the same.
And I also following your documentation before, basically what I do just match the CN against Entra External Group.
And the results just like you've seen in the picture attached.
I've check and make sure from the Entra config, and all according to documentation.

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Mon, 10 Nov 2025 17:38:07 GMT

Hello

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Fri, 14 Nov 2025 17:07:09 GMT

I'm having the same problem. It seems the authentication flow between ISE and Entra ID isn't working. No matter what permission settings you configure; does anyone have a solution or fix for this?

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Fri, 14 Nov 2025 17:27:17 GMT

@Andre-Teixeira Hello at which section of the policy it is blocking ? Is it at the Authentication or for the Authorization ? What error you see ? Share the error log / code.

I assume you completed the Entra ID Integration with ISE as External Identity Sources. Did you Import the Device or User Group already ? Is your cert DN matches the regex entry ?

No matter what permission settings you configure -- which permission you are referring ?

Elaborate a bit more on your problem

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Fri, 21 Nov 2025 13:02:49 GMT

Hello! I followed this link/guide:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

We checked all the permissions for the Entra ID, ISE policies, and nothing. The documentation advises disabling Microsoft MFA, otherwise it doesn't work. We did this and the error persists. The REST within ISE is communicating normally with the tenant and the Entra ID app registration. We checked everything related to certificates; we inserted the certificate within the Entra ID app registration, issued a new certificate and a new chain, and imported it into ISE. We don't believe the problem is with certificates, because if I try to authenticate using a local Active Directory, for example: some domain user, it works with a different authentication policy and a different authorization policy.

Error code: 5400 Authentication failed
Failure Reason 12976 EAP-TTLS authentication failed

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Mafra — Fri, 21 Nov 2025 14:48:26 GMT

Hi!

@andrianusfranky

I had a similar problem and was able to fix it. I was about to make a post talking about my issue.

I was able to authenticate but when trying to use groups as conditions no groups matched and the authz was getting the default.

In my case the problem was with the attributes ISE use from Azure.

My problem was with the "deviceEnrollmentLimit" attribute, if I configure ISE to use this attribute and make authz profiles using groups as conditions it never matched.

Try to mess with the attributes, if you have "deviceEnrollmentLimit" added try to take it off from the attribute list and see if this fiz your problem

At the REST ID Store i went to "User Attributes" and removed the "deviceEnrollmentLimit":

Logs showing the error I got when attributes were fetched for the user:

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Fri, 21 Nov 2025 15:05:12 GMT

I did that and I'm still having the same problem. Could you please share your APP Registration permissions? All of them. Maybe that will help me. Thank you very much for the information shared so far.

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Fri, 21 Nov 2025 15:30:51 GMT

@Andre-Teixeira Quick question - do you have the Group.Memership read permission on Azure for the Entra ID App ?

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

User Lookup API Permissions

To perform the User attribute and group membership lookups against EntraID, the following API Permissions must be granted in the Entra ID App Registration:

User.Read.All (Application)
GroupMember.Read.All (Application)

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Fri, 21 Nov 2025 15:33:29 GMT

During REST ID Integration it only works with Client Secret - Cert Option is not available in ISE side.

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Fri, 21 Nov 2025 17:12:02 GMT

Thank you very much, but no success. I'm still getting the error log from my first attach login_failure_log_ise_entra_ID.png.
The error "AADSTS50034"...

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Mafra — Fri, 21 Nov 2025 17:22:24 GMT

Did you enable the debug for "rest-id-store"?

I think you will have a better ideia what the problem is if you enable it and check on the CLI while the client tries to authenticate.

CLI command after enable the debug:

show logging application ropc/rest-id-store.log

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Fri, 21 Nov 2025 17:32:04 GMT

Yes, I did. Same error message. Which version of Cisco ISE are you using?

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Fri, 21 Nov 2025 18:32:09 GMT

ISE3.5

Re: Cisco ISE 3.5 Entra ID Authorization Problem

MSJ1 — Fri, 21 Nov 2025 21:42:44 GMT

@Andre-Teixeira - What is your Microsoft Entra ID License Type p1 , p2 ? and what's the attribute you are using as part of Authz ?

I know you are facing issue AuthC. Can you also share the Cert Auth Profile settings ?

Re: Cisco ISE 3.5 Entra ID Authorization Problem

Andre-Teixeira — Mon, 08 Dec 2025 14:45:21 GMT

My friends, good news. I managed to get it working. I spent about a month and a half trying to get this working in the simplest way possible. I tested the versions:
ISE 3.3 (patch 3) - fail
ISE 3.3 (patch 4) - fail
ISE 3.3 (patch 7) - fail
ISE 3.4 (patch 1) - fail
ISE 3.4 (patch 3) - fail
ISE 3.4 (patch 4) - fail
ISE 3.5, which we are discussing in this forum, - fail

However, it only worked on version 3.3 WITHOUT ANY PATCH. I didn't change any configurations at all, I just installed 3.3 and removed patch 8. I performed a new authentication and it worked.

I have attached the main configurations I performed to get it working. Through this forum, there is the possibility of contacting Cisco informing them:

We need it to work in the simplest way possible, just like in version 3.3 without a patch. But since ISE cannot be left without updates, it needs to work on later versions. From there, we can make more advanced configurations.

Perhaps the fact that it happens in all the latest versions (3.3 P2+, 3.4, 3.5) and not in 3.3 Base indicates that Cisco has permanently changed the library (SDK) or logic of the Azure AD connector in modern versions, probably to accommodate new Microsoft security requirements or MDM features, but broke backward compatibility for those using pure ROPC (only user authentication without device validation).

Re: Cisco ISE 3.5 Entra ID Authorization Problem

besart-rexhepi — Sun, 15 Mar 2026 10:02:37 GMT

Are you using "ENTRA DEVICE ID" to identify the device?

Your Regex is the problem and thats why you are not hitting you Authorization rule. Try to put * before and after Entra Device ID.

* regex for Entra Device ID *