Solved: Re: Cisco ISE Dot1x Authentication & Azure AD expired password

jitendrac · ‎06-30-2024

Hi All,

We have set up Cisco ISE Dot1x Authentication with Azure AD using REST (ROPC). At the endpoint, we are using native Windows supplicant with EAP TTLS and PAP as the Inner Authentication Method.

The issue that we are observing is when the user password expires at the Azure AD level user cannot connect to the network. User has to call the endpoint help desk team to get a new password.

My question is, without Dot1x, does Windows allow you to set up a new password in case the current one expires? Why is there no provision for user to set new password in case password expires in Dot1x environment?

Is this limitation from ISE side or Windows native supplicant limitation

Greg Gibbs · ‎07-07-2024

@jitendrac .. No. As stated in the MS documentation for CBA, it "enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in". Neither of those scenarios are related to the Windows 802.1x supplicant.

Using EAP-TLS for 802.1x authentication (purely against ISE, in this case) still requires the User and/or Device certificate enrolment. This would typically be done by Intune which would need integration with a PKI of some sort. That could be AD CS (as discussed in my blog), the MS Cloud PKI, or another solution like SCEPman.

View solution in original post

Jonatan Jonasson · ‎06-30-2024

Hi,

This is a limitation with ROPC and Azure AD/Entra ID, any interruption to a ROPC flow, such as change password, or MFA, is not supported.

You can see more about this here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow

"ROPC doesn’t work when there's any interruption to the authentication flow that needs user interaction. For example, when a password expires or needs to be changed, multifactor authentication is required, or when more information needs to be collected during sign-in (for example, user consent)."

On a related note, generally I prefer using certificates for 802.1x authentication.

jitendrac · ‎06-30-2024

Thanks Jonatan,

Is my understanding regrading ISE with Azure AD is correct?

We have only 2 options to authenticate users with Azure AD

1. using EAP-TLS however Require PKI Infrastructure at Azure AD side which can issue certificate for users and computers.

2. using EAP-TTLS with PAP as inner method with limitation of ROPC

Greg Gibbs · ‎06-30-2024

To be clear...

ISE can Authorize an EAP-TLS User session against Entra ID
ISE can Authenticate and Authorize an EAP-TTLS(PAP) User session against Entra ID using ROPC

More details on the current use cases and options in relation to ISE, Entra ID, and Intune can be found in this blog.
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

jitendrac · ‎07-06-2024

Hi Greg

Can you verify if my understanding is correct regarding EAP-TLS ?

I believe for EAP-TLS to work with Azure AD we should enable and configure Microsoft Entra certificate-based authentication (CBA) first.
For Microsoft Entra CBA Public Key Infrastructure (PKI) is required for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices.

Greg Gibbs · ‎07-07-2024

@jitendrac .. No. As stated in the MS documentation for CBA, it "enables customers to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in". Neither of those scenarios are related to the Windows 802.1x supplicant.

Using EAP-TLS for 802.1x authentication (purely against ISE, in this case) still requires the User and/or Device certificate enrolment. This would typically be done by Intune which would need integration with a PKI of some sort. That could be AD CS (as discussed in my blog), the MS Cloud PKI, or another solution like SCEPman.