Solved: Re: CIsco ISE 3.x PEAP Authentication Azure AD

kylerossd · ‎11-07-2022

Hello,

I have seen some guides for EAP-TEAP and EAP-TTLS guides for integrating with Azure AD ROPC. However, I cannot find any documentation that says PEAP is not supported or supported. Long question short. Can I forklift out using on prem AD to Azure AD without changing the authentication method?

If the answer is no, is there any documentation to this effect from CIsco?

thomas · ‎11-09-2022

Azure AD supports 2 protocols: SAML and OAuth. The purpose of both of these protocols is for third-party identity verification on the open internet between a resource owner (user), a resource provider (typically a website/service somewhere on the Internet), and an identity provider. Of course all of this assumes the resource owner has an IP address and can connect to these sites on the Internet. However we are talking about using OAuth with AAD in this case for 802.1X user authentication at layer 2 before the user ever gets an IP address. So that model totally breaks.

For ISE 3.0 and later, ISE uses the OAuth ROPC authentication method with Azure AD to proxy the users' unencrypted username and password sent with PAP in the EAP-TTLS tunnel. This allows us to perform the authentication on the user's behalf (ROPC method) since they will not yet have an IP address to perform the SAML or OAuth dances with the Identity Provider and the desired resource provider (ISE for network access in this case). Once the use has been authenticated, ISE has the ability to lookup the user's group information in AAD, map that to an authorization rule, and allow the appropriate network access (or not).

PEAP does not support the unencrypted PAP authentication method so it cannot be used. Similar, maybe, but not equivalent.

View solution in original post

thomas · ‎11-07-2022

PEAP is not supported for Azure Active Directory.

Microsoft Azure AD is not the same as on-premise AD! See Compare Active Directory to Azure Active Directory. Your authentication choices with Azure AD are SAML and OAuth because it is a cloud-based identity platform. You cannot perform traditional Microsoft-y AD domain logins with Kerberos over the open internet to AAD.

Funny how people prefer to ask Cisco about Microsoft products' capabilities. 8-)

kylerossd · ‎11-07-2022

Never said I didn't. This link does not say PEAP is not supported. However there is a Cisco ISE 3.2 document that does state that Cisco ISE can use Azure Graph API to fetch the user’s groups and other attributes for that user using EAP-TLS. Nothing stated that PEAP cannot be used. However, with my research so far it seems that AzureAD can only be used as an authorize only or inner method for EAP-TTLS.... PEAP and EAP-TTLS are very similar..

Still curious.

thomas · ‎11-09-2022

Azure AD supports 2 protocols: SAML and OAuth. The purpose of both of these protocols is for third-party identity verification on the open internet between a resource owner (user), a resource provider (typically a website/service somewhere on the Internet), and an identity provider. Of course all of this assumes the resource owner has an IP address and can connect to these sites on the Internet. However we are talking about using OAuth with AAD in this case for 802.1X user authentication at layer 2 before the user ever gets an IP address. So that model totally breaks.

For ISE 3.0 and later, ISE uses the OAuth ROPC authentication method with Azure AD to proxy the users' unencrypted username and password sent with PAP in the EAP-TTLS tunnel. This allows us to perform the authentication on the user's behalf (ROPC method) since they will not yet have an IP address to perform the SAML or OAuth dances with the Identity Provider and the desired resource provider (ISE for network access in this case). Once the use has been authenticated, ISE has the ability to lookup the user's group information in AAD, map that to an authorization rule, and allow the appropriate network access (or not).

PEAP does not support the unencrypted PAP authentication method so it cannot be used. Similar, maybe, but not equivalent.