Hi,

How is the proccess of certificate exchange between them? At this doc i only saw for the Intune. If we integrate with Intune it will be necessary premier licenses right?

We just need to Authenticate/Authorization the user against Entra ID with EAP-TLS. So there is a guide just for that? That´s showing the config at MS side and Cisco side.

There is no certificate exchange between Entra ID and ISE. With the mutual authentication of EAP-TLS, the client needs to trust the ISE EAP certificate and the server (ISE) needs to trust the client EAP certificate.

ISE would need to have the trust chain (root, intermediate) certificates for the EAP certificate presented by the client in it's Trusted Certificates store with the 'Trust for authentication within ISE' and 'Trust for client authentication and Syslog' options enabled. These certs would typically be from your AD CS, MS Cloud PKI, or whatever CA you're using.

The trust chain for the EAP certificate in ISE would also need to be in the client's Root/Intermediate certificate store for the User and/or Computer (depending on your use case).

You would only need to integrate with Intune (and therefore need the Premier licensing) if you want to perform the MDM Registration/Compliance checks as a condition for Authorization.

Hi Greg,

Its not necessary to add Entra ID at Cisco ISE as a External Identity Source? How ISE will read the groups?

Yes, you would need to add your Entra ID tenant as a REST ID connection. The guide you linked in your original post has a reference and and link to the App Registration setup required on the Entra ID side.

If you click on that link, it shows the configuration needed. For this use case, however, you would not need to enable the ROPC setting (Figure/Step 9)

So we need to add the Entra ID tenant as a REST ID connection using EAP TLS?

At step 9 we do not enable RPOC?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

Correct