Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
1
Helpful
2
Replies

Cisco ISE and NetScaler, Entra ID

Jay233
Level 3
Level 3

‎05-14-2025 04:28 PM

Hi All,

Got an issue with trying to get ISE to authenticate and authorise clients from a NetScaler to local AD but also using MFA to Entra.

I've got ISE configured for NADs, policy sets and REST ID with Azure Active Directory, for some reason clients auth to local AD fine but the MFA to Entra back to NetScaler isn't working.

Configured REST Auth services on ISE, REST external identity sources working fine and can see Entra groups etc. ISE integration into Entra as per this doc https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html.

ROPC OAuth 2.0 Resource Owner Password Credentials (ROPC) seems to be the issue, client diags indicate that it tries Entra external but says authentication not supported?

Has anyone tried or have a doc examples? Anyone enabled or using Entra pass-through authentication as suggested by Microsoft as a they say it supports ROPC?

Microsoft say  - 

Warning

Microsoft recommends you do not use the ROPC flow; it's incompatible with multifactor authentication (MFA). In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable. ROPC is not supported in hybrid identity federation scenarios (for example, Microsoft Entra ID and AD FS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Microsoft Entra ID is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.

   

 

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-14-2025 07:50 PM

Just because pass-through authentication is supported with ROPC, does not mean that using MFA with pass-through authentication is supported with ROPC. If you are expecting MFA to work in that scenario, you might need to confirm with Microsoft if that is possible.

I'm not aware of any way to make Entra MFA work with ROPC flows in ISE. In the examples and testing I've done, MFA needs to be disabled via Conditional Access or other methods for all ROPC-based flows.

I'm not sure what use case this is with Netscaler, but if it is a VPN flow you might consider using SAML against Entra ID directly with the headend, then using RADIUS to ISE with Authorize Only (if Netscaler supports that).
This is the way you would accomplish VPN with MFA on Cisco ASA/FTD headends.

Jay233
Level 3
Level 3
In response to Greg Gibbs

‎05-15-2025 01:56 AM

Hi Greg,

Appreciate your response, the use case currently used is NetScaler >NPS+ Extension > Azure MFA, the assumption was that ISE could take over that role from NPS and provide radius (MSChapv2) and MFA support.

0 Helpful
Customers Also Viewed These Support Documents