CIsco ISE 802.1x EAP-TLS authentication with Entra ID

cuiL · ‎06-09-2025

Our customer exisitng environment all PC join to entra id and no any infra in on-premise

Now. they would like to implement new Wi-FI with kind of this solutions but it's look like very new for us and less experience

Therefore, may I asking in this community that anyone have experience to implement this solution on production.

Also, with this is any concern point or this solutions is good idea to go with it?

Greg Gibbs · ‎06-10-2025

ISE cannot currently perform any Device Authorization against Entra ID. The only option would to Authenticate based on a trusted certificate and authorize based on values in the certificate.

See https://cs.co/ise-entraid

paulwelchh · ‎06-10-2025

Thanks, Greg, that’s helpful. Just to clarify, if we're going with EAP TLS and relying only on certificate-based authentication and authorization, since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?

Also, has anyone tried integrating any third-party solutions to bridge Entra ID device context into ISE policies, or is that still mostly a manual workaround?

Appreciate any insights from folks who've deployed something similar.

Greg Gibbs · ‎06-10-2025

"since device lookup via Entra ID isn't currently possible, would that mean all policy decisions in ISE would need to be based purely on certificate attributes like SAN or OU?"

Yes. If you need to provide differentiated levels of authorization between devices, they would need to have different certificate values that ISE could match on.

An enhancement for Device Authorization against Entra ID is coming in ISE 3.5 (currently in public beta), so more details will be provided on that enhancement when it is available.