Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
0
Replies

ISE Azure AD ROPC Credentials Stored?

jsohns
Level 1
Level 1

‎03-27-2023 01:14 PM

We are in the process of configuring ISE with Azure AD for ROPC.  The guide below is what we are following;

 https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html.

Our security team found this comment and have concerns;

  • 10. Endpoint initiates authentication. As per ROPC protocol specification, user password has to be provided to the Microsoft identity platform in a clear text over an encrypted HTTP connection; due to this fact, the only available authentications options supported by ISE as of now are:

Within the above guide there is a link to MS where this is mentioned.

  • link - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
  • “The ROPC flow is a single request; it sends the client identification and user's credentials to the identity provider, and receives tokens in return. The client must request the user's email address (UPN) and password before doing so. Immediately after a successful request, the client should securely discard the user's credentials from memory. It must never save them.”

Understanding we will have to leverage EAP-TTLS, PAP will be the inner method then once it reaches ISE it then runs a process run time (PrRT) to call upon the API to send the UN/PW to Azure AD.  Does anyone know if during any of this process how long or if the password is stored in memory as called out by MS?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents