I have ISE 3.2 (patch5) instance with AAD integration and configured policies for wireless Dot1X. I have only configured user/group authentication and authorization and there are no device-based policies.
Currently all apple devices cannot authenticate because they are trying to authenticate using protocols that Azure does not support such as EAP-FAST. As per my knowledge, Azure-ISE integration (ROPC) only supporting EAP-TTLS with PAP. (no other inner methods). I also tried disabling protocols to force clients to use EAT-TTLS with PAP and also with ISE 3.3. But it didn't work.
I also found a workaround to use Intune to configure client devices. But for BYOD requirement needs agentless device authorization based on AAD group.
Any suggestions? or workaround?