07-29-2024 12:15 PM
Hi all,
About the configuration between ISE EAP-TLS with Microsoft Azure ID, i have some doubts:
The certificate is sent to ISE through EAP-TLS or TEAP with EAP-TLS as the inner method.
ISE evaluates the user’s certificate (validity period, trusted CA, CRL, and so on.)
ISE takes the certificate subject name (CN) and performs a look-up to the Microsoft Graph API to fetch the user’s groups and other attributes for that user. This is referred to as User Principal name (UPN) on the Azure side.
ISE Authorization policies are evaluated against the user’s attributes returned from Azure.
Doubts
1 - Entra ID must be added at Cisco ISE as a External Identity Source similar to the Microsoft AD?
2 - Its necessary to exchange certificate with Azure AD and ISE? For example download the root CA of Azure AD and upload to ISE?
3 - Its necessary to integrate with Intune?
07-29-2024 12:51 PM
This link will give you much better insight :
1 - Entra ID must be added at Cisco ISE as a External Identity Source similar to the Microsoft AD?
there is no authentication done, only authorization/lookup via api/intune mdm
2 - Its necessary to exchange certificate with Azure AD and ISE? For example download the root CA of Azure AD and upload to ISE?
yes
3 - Its necessary to integrate with Intune?
you may be able to do basic cert checks, but intune will give you the most robust/scalable solution. intune will automate the cert issuance process as well..
07-29-2024 02:21 PM
Hi,
How is the proccess of certificate exchange between them? At this doc i only saw for the Intune. If we integrate with Intune it will be necessary premier licenses right?
We just need to Authenticate/Authorization the user against Entra ID with EAP-TLS. So there is a guide just for that? That´s showing the config at MS side and Cisco side.
07-29-2024 03:22 PM
There is no certificate exchange between Entra ID and ISE. With the mutual authentication of EAP-TLS, the client needs to trust the ISE EAP certificate and the server (ISE) needs to trust the client EAP certificate.
ISE would need to have the trust chain (root, intermediate) certificates for the EAP certificate presented by the client in it's Trusted Certificates store with the 'Trust for authentication within ISE' and 'Trust for client authentication and Syslog' options enabled. These certs would typically be from your AD CS, MS Cloud PKI, or whatever CA you're using.
The trust chain for the EAP certificate in ISE would also need to be in the client's Root/Intermediate certificate store for the User and/or Computer (depending on your use case).
You would only need to integrate with Intune (and therefore need the Premier licensing) if you want to perform the MDM Registration/Compliance checks as a condition for Authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide