Solved: Re: CIsco ISE 802.1x EAP-TLS authentication with Entra ID

cuiL · ‎06-09-2025

Our customer exisitng environment all PC join to entra id and no any infra in on-premise

Now. they would like to implement new Wi-FI with kind of this solutions but it's look like very new for us and less experience

Therefore, may I asking in this community that anyone have experience to implement this solution on production.

Also, with this is any concern point or this solutions is good idea to go with it?

Greg Gibbs · ‎10-08-2025

Have you enabled and configured the Device Query settings as per the Admin Guide?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb

View solution in original post

MaErre21325 · ‎10-10-2025

Yes, i've read later your guide, now it works.
Thanks as always for your advices!

View solution in original post

Greg Gibbs · ‎06-10-2025

ISE cannot currently perform any Device Authorization against Entra ID. The only option would to Authenticate based on a trusted certificate and authorize based on values in the certificate.

See https://cs.co/ise-entraid

paulwelchh · ‎06-10-2025

Thanks, Greg, that’s helpful. Just to clarify, if we're going with EAP TLS and relying only on certificate-based authentication and authorization, since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?

Also, has anyone tried integrating any third-party solutions to bridge Entra ID device context into ISE policies, or is that still mostly a manual workaround?

Appreciate any insights from folks who've deployed something similar.

Greg Gibbs · ‎06-10-2025

"since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?"

Yes. If you need to provide differentiated levels of authorization between devices, they would need to have different certificate values that ISE could match on.

An enhancement for Device Authorization against Entra ID is coming in ISE 3.5 (currently in public beta), so more details will be provided on that enhancement when it is available.

MSJ1 · ‎10-07-2025

Hello @Greg Gibbs

Now that version 3.5 came available for public and partners started looking into ISE 802.1x for Entra ID Joined machines.

My question refer to this statement mentioned at release notes 3.5

1.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html

"During authentication, Cisco ISE evaluates the certificate presented by the user or device, without directly accessing Microsoft Entra ID. "

Which Certificate user / device will present ? Since Laptops are Entra ID Joined , they are not domain joined since PKI cannot generate user or Device Cert for a non domain joined machine. Or I am missing some point here. ?

Greg Gibbs · ‎10-07-2025

Windows PCs still have a distinct User and Computer state and separate certificate stores for each. If the supplicant is configured for 'User or Computer Authentication' it will present the certificate relevant to the state. This is described in my blog referenced earlier.

I have also updated that blog with the Device Authorization use case available from ISE 3.5 - https://cs.co/ise-entraid#DeviceQuery

MaErre21325 · ‎10-08-2025

Hi @Greg Gibbs

i was following the link you posted, already upgraded to 3.5, but in the authorization policy i'm unable to see the Device·ExternalGroups.
This is the screenshot of the available choices:

How can i have the device attribute from the list?

Thank you

Regards

Greg Gibbs · ‎10-08-2025

Have you enabled and configured the Device Query settings as per the Admin Guide?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb

MaErre21325 · ‎10-10-2025

Yes, i've read later your guide, now it works.
Thanks as always for your advices!

MSJ1 · ‎10-28-2025

@Greg Gibbs

Refer to following URL and specific to license - what type of license we will need if we want to use Entra ID Device Certificate based authentication ?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_eyb_rz1_gnb

""In the Device Attributes tab, click Add.

These attributes are displayed based on the deployed licenses. Check the check boxes next to the device attributes for which you want to fetch values from the Entra ID.""

Greg Gibbs · ‎10-28-2025

This is documented in the licensing guide - https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html#35ISELicenserequirementsforDisplayingEntraIDDeviceAttributesintheGUI

MSJ1 · ‎10-29-2025

@Greg Gibbs During REST ID Store Integration with ISE is there a way we can use Cert as Authentication rather than using "Client Secret" ? From ISE External Identity Sources Section for REST I do not see Cert as an Option rather than "Client Secret" field.

Also for REST ID Integration with Azure from ISE what are the Firewall Rule Requirement's ?

Greg Gibbs · ‎10-29-2025

No. The documented method using secrets is the only supported method for integration.

The required URLs are documented in the Installation Guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_7.html#required-internet-urls

MSJ1 · ‎10-29-2025

@Greg Gibbs Do you see any security risk since it is Client Secret ? Can you share any insight if in upcoming release it will bring the option for cert based binding rather than Client Secret ?