Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
91
Views
0
Helpful
3
Replies

Cisco ISE 3.2 with Azure AD

Leonardo Santana
Spotlight
Spotlight

‎07-29-2024 12:15 PM

Hi all,

About the configuration between ISE EAP-TLS with Microsoft Azure ID, i have some doubts:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html
Procedure:

The certificate is sent to ISE through EAP-TLS or TEAP with EAP-TLS as the inner method.
ISE evaluates the user’s certificate (validity period, trusted CA, CRL, and so on.)
ISE takes the certificate subject name (CN) and performs a look-up to the Microsoft Graph API to fetch the user’s groups and other attributes for that user. This is referred to as User Principal name (UPN) on the Azure side.
ISE Authorization policies are evaluated against the user’s attributes returned from Azure.

Doubts
1 - Entra ID must be added at Cisco ISE as a External Identity Source similar to the Microsoft AD?
2 - Its necessary to exchange certificate with Azure AD and ISE? For example download the root CA of Azure AD and upload to ISE?
3 - Its necessary to integrate with Intune?

 

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful
3 Replies 3

ccieexpert
Level 3
Level 3

‎07-29-2024 12:51 PM

 

This link will give you much better insight :

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

1 - Entra ID must be added at Cisco ISE as a External Identity Source similar to the Microsoft AD?

there is no authentication done, only authorization/lookup via api/intune mdm


2 - Its necessary to exchange certificate with Azure AD and ISE? For example download the root CA of Azure AD and upload to ISE?

yes
3 - Its necessary to integrate with Intune?

you may be able to do basic cert checks, but intune will give you the most robust/scalable solution. intune will automate the cert issuance process as well..

0 Helpful

Leonardo Santana
Spotlight
Spotlight
In response to ccieexpert

‎07-29-2024 02:21 PM

Hi,

How is the proccess of certificate exchange between them? At this doc i only saw for the Intune. If we integrate with Intune it will be necessary premier licenses right?

We just need to Authenticate/Authorization the user against Entra ID with EAP-TLS. So there is a guide just for that? That´s showing the config at MS side and Cisco side.

 

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Leonardo Santana

‎07-29-2024 03:22 PM

There is no certificate exchange between Entra ID and ISE. With the mutual authentication of EAP-TLS, the client needs to trust the ISE EAP certificate and the server (ISE) needs to trust the client EAP certificate.

ISE would need to have the trust chain (root, intermediate) certificates for the EAP certificate presented by the client in it's Trusted Certificates store with the 'Trust for authentication within ISE' and 'Trust for client authentication and Syslog' options enabled. These certs would typically be from your AD CS, MS Cloud PKI, or whatever CA you're using.

The trust chain for the EAP certificate in ISE would also need to be in the client's Root/Intermediate certificate store for the User and/or Computer (depending on your use case).

You would only need to integrate with Intune (and therefore need the Premier licensing) if you want to perform the MDM Registration/Compliance checks as a condition for Authorization.

 

0 Helpful
Customers Also Viewed These Support Documents