CIsco ISE 802.1x EAP-TLS authentication with Entra ID

cuiL · ‎06-09-2025

Our customer exisitng environment all PC join to entra id and no any infra in on-premise

Now. they would like to implement new Wi-FI with kind of this solutions but it's look like very new for us and less experience

Therefore, may I asking in this community that anyone have experience to implement this solution on production.

Also, with this is any concern point or this solutions is good idea to go with it?

Greg Gibbs · ‎06-10-2025

ISE cannot currently perform any Device Authorization against Entra ID. The only option would to Authenticate based on a trusted certificate and authorize based on values in the certificate.

See https://cs.co/ise-entraid

paulwelchh · ‎06-10-2025

Thanks, Greg, that’s helpful. Just to clarify, if we're going with EAP TLS and relying only on certificate-based authentication and authorization, since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?

Also, has anyone tried integrating any third-party solutions to bridge Entra ID device context into ISE policies, or is that still mostly a manual workaround?

Appreciate any insights from folks who've deployed something similar.

Greg Gibbs · ‎06-10-2025

"since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?"

Yes. If you need to provide differentiated levels of authorization between devices, they would need to have different certificate values that ISE could match on.

An enhancement for Device Authorization against Entra ID is coming in ISE 3.5 (currently in public beta), so more details will be provided on that enhancement when it is available.

MSJ1 · ‎10-07-2025

Hello @Greg Gibbs

Now that version 3.5 came available for public and partners started looking into ISE 802.1x for Entra ID Joined machines.

My question refer to this statement mentioned at release notes 3.5

1.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-ise-release-notes-35.html

"During authentication, Cisco ISE evaluates the certificate presented by the user or device, without directly accessing Microsoft Entra ID. "

Which Certificate user / device will present ? Since Laptops are Entra ID Joined , they are not domain joined since PKI cannot generate user or Device Cert for a non domain joined machine. Or I am missing some point here. ?

Greg Gibbs · ‎10-07-2025

Windows PCs still have a distinct User and Computer state and separate certificate stores for each. If the supplicant is configured for 'User or Computer Authentication' it will present the certificate relevant to the state. This is described in my blog referenced earlier.

I have also updated that blog with the Device Authorization use case available from ISE 3.5 - https://cs.co/ise-entraid#DeviceQuery

MaErre21325 · ‎10-08-2025

Hi @Greg Gibbs

i was following the link you posted, already upgraded to 3.5, but in the authorization policy i'm unable to see the Device·ExternalGroups.
This is the screenshot of the available choices:

How can i have the device attribute from the list?

Thank you

Regards

Greg Gibbs · ‎10-08-2025

Have you enabled and configured the Device Query settings as per the Admin Guide?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb