Solved: Re: Cisco ISE 3.0 with Azure AD deployment - TACACS User authentication

Jithishkk1514 · ‎06-11-2021

Hello Team,

We are going to deploy Cisco ISE 3.0 with azure AD, There is a requirement from customer to integrate the security and network devices for TACACS user authentication.

This solution is possible with Cisco ISE with Azure AD ,as i understand only ROPC protocol works between Cisco ISE & Azure AD.

Please help.

Regards,

Jithish K K

Greg Gibbs · ‎06-15-2021

The Device Admin Policy Set does not support Authorization Policy conditions using the ROPC Azure AD store. As such, you cannot match on AzureAD groups for differentiated device admin access.

View solution in original post

thomas · ‎06-11-2021

From the ISE Admin Guide:

SAMLv2 Identity Provider as an External Identity Source

SAML SSO is supported for the following portals:

Guest portal (sponsored and self-registered)

Sponsor portal

My Devices portal

Certificate Provisioning portal

You cannot select IdP as external identity source for BYOD portal, but you can select an IdP for a guest portal and enable BYOD flow.

Cisco ISE is SAMLv2 compliant and supports all SAMLv2 compliant IdPs that use Base64-encoded certificates. The IdPs listed below have been tested with Cisco ISE:

Oracle Access Manager (OAM)

Oracle Identity Federation (OIF)

SecureAuth

PingOne

PingFederate

Azure Active Directory

The IdP cannot be added to an identity source sequence.

Jithishkk1514 · ‎06-14-2021

Thanks Thomas,

Can you please confirm whether TACACS can be used in ISE 3.0 version with Azure AD.?

Greg Gibbs · ‎06-15-2021

The Device Admin Policy Set does not support Authorization Policy conditions using the ROPC Azure AD store. As such, you cannot match on AzureAD groups for differentiated device admin access.

kirk.thibodeaux · ‎03-16-2023

Is there a way to pass the Authentication with AzureAD and handle authorization on Cisco ISE?

Greg Gibbs · ‎03-16-2023

As I stated earlier in this thread:
"The Device Admin Policy Set does not support Authorization Policy conditions using the ROPC Azure AD store. As such, you cannot match on AzureAD groups for differentiated device admin access."

hasitha siriwardhana · ‎10-31-2022

Is TACACS authentication/Authorization for network device support with ISE 3.2 and azure AD?

Greg Gibbs · ‎11-02-2022

No, there is no change to this behaviour in the current release of ISE 3.2.

emgalanme · ‎04-25-2023

Hey Greg. Is user authentication supported with ISE + Azure AD for tacacs (not authorization) in ISE 3.2 ?

Greg Gibbs · ‎04-25-2023

Technically yes, you can use an ROPC Identity Store in the Device Admin Authentication Policy. The Authentication session will pass, but the Authorization session will result in a process failure.

You could mitigate the process failure by configuring the advanced option for 'If process fail = CONTINUE' but there would still be no way to differentiate authorization for different levels of admin access (Read-Write versus Read-Only, for example). You would be limited to the result of the Default Authorization Policy.

steve.berglund · ‎05-04-2023

The process fail option didn't actually work, since the secondary authentication results in a user not found, not necessarily a process failure. So the only way to make it "work" is a user not found-continue, which ends up allowing any Bunk username to pass. Which is obviously not an option...

Recommendation is to either use on prem MS AD or local accounts in ISE.