cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
1
Helpful
1
Replies

Cisco ISE + Azure AD Integration (ROPC)

Has anyone come across similar case as below?

I have ISE 3.2 (patch5) instance with AAD integration and configured policies for wireless Dot1X. I have only configured user/group authentication and authorization and there are no device-based policies.

Currently all apple devices cannot authenticate because they are trying to authenticate using protocols that Azure does not support such as EAP-FAST. As per my knowledge, Azure-ISE integration (ROPC) only supporting EAP-TTLS with PAP. (no other inner methods). I also tried disabling protocols to force clients to use EAT-TTLS with PAP and also with ISE 3.3. But it didn't work.

I also found a workaround to use Intune to configure client devices. But for BYOD requirement needs agentless device authorization based on AAD group.  

Any suggestions? or workaround? 

 

 

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

AFAIK, there is no way to configure Mac OS to use EAP-TTLS[PAP] except creating and installing a Wifi Profile. This can be done manually using something like Apple Configurator (you would have to provide the XML to the users to install) or using an MDM like Intune or Jamf Pro.

Another option would be using a portal-based flow with SAML/Oauth2 authentication against Entra ID.
https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-azure-ad/ta-p/4400675