Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
1
Helpful
3
Replies

Cisco ISE Domain Joined Computer check doesn't work with Azure SAML

jkaberna1
Level 1
Level 1

‎01-11-2024 07:42 AM

The environment is Cisco ISE 3.2 patch 4 and Cisco ASA 9.16.4.  The computer is a Win10 laptop running the latest Cisco Secure Client 5 (AnyConnect).  We have domain controllers hosted in Azure and also Enfra ID in Azure.  I previously setup ISE for both authentication and authorization using regular RADIUS and also the ISE posture module.  ISE has an Authorization policy that checks that the computer is joined to the domain.  That worked perfectly with ISE. 

However, they want to use Microsoft Authenticator as the MFA so my two options are Azure SAML (which is what I deployed) or having a second pair of NPS servers to be secondary RADIUS to handle the MFA portion.  Is there a way to get the domain join AD authorization to work with this setup?  If not, can Enfra ID be used somehow?  My instructions are to not add Intune so that probably it not an option.  The network team wants to have the least amount of reliance on other groups so the less involvement from AD/Azure teams the better.  Checking a computer if its part of the domain is fundamental and not much moving parts to break.  

I have this in a lab setup so I can share whatever screenshots are needed.  Thanks in advance everyone!

0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎01-11-2024 05:00 PM - edited ‎01-11-2024 05:02 PM

I'm not sure if I understand your use case completely. You mention ASA, so I assume this is a Remote Access VPN use case.

If you want to use Entra ID as the external Identity Store + MFA with ISE authorization, the flow would be Client -> ASA -> SAML (Entra ID + MFA) -> ISE Authorize Only.

AFAIK, when using SAML + Certificate for VPN, only the User Certificate is supported. I don't believe there is a way to authenticate both the User and Device (an Entra ID Device is not the same as an AD Computer) with SAML. As such, ISE would have no visibility of the device credential for Authorization.

If I've misunderstood your use case, please provide more clarity.

jkaberna1
Level 1
Level 1
In response to Greg Gibbs

‎01-12-2024 09:07 AM

Hi Greg.  Yes it is an RAVPN.  I think you're understanding correctly.  So if computer authorization through regular AD or Enfra ID isn't possible is there some other workaround?  The requirement is to only allow domain joined computers to authenticate/authorize to the RAVPN but also support Microsoft authenticator MFA.  I was hoping to avoid using a separate Microsoft NPS server to handle the MFA part.  We're also doing posturing so if theres a way through the ISE posture module that would work too.  I just couldn't find anything obvious or a sample config on how to do a domain check with the posture module.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎01-12-2024 09:56 PM

@jkaberna1 ISE 3.2 has this Posture Condition Script Support if the other ISE posture checks are not good enough in validating domain-join computers.

0 Helpful
Customers Also Viewed These Support Documents