04-17-2025 01:54 AM - edited 04-17-2025 01:54 AM
Hello,
I have some questions after going through the great post from @Greg Gibbs - Cisco ISE with Microsoft Active Directory, Entra ID, and Intune - Cisco Community Specifically, about the section of User attributes from Entra ID.
1) There it is stated that starting with ISE 3.2 version patch 4, all those users attributes are available to use in Authorization policies. I have a working setup using ISE 3.3 version patch 2 where I followed exactly Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory However the only information I see coming from Entra-ID is the groups the user belongs to. What is additionally required to configure so ISE can receive more information via Graph API from Entra-ID to match in the Authorization policies anything from the list you mention? Note: Entra-ID permissions are exactly the ones as shown in the guide.
2) Additionally, I am exploring user attributes to see if we can use one of those on the list, or even a custom attribute in Entra-ID, to receive from Entra-ID the IP address assigned to a user so it can be sent towards an ASA via RADIUS. This is to mirror what is explained in Configure a Static IP Address on an AnyConnect Remote Access VPN with ISE and AD - Cisco but instead using AD, using Azure Entra-ID. Do you recommend any documents to fill the gaps to achieve this with Entra-ID? (meaning how to build this custom attribute and then map it through ISE dictionaries?).
Thank you in advance!
06-08-2025 08:43 AM
Nobody?
06-10-2025 08:19 PM
To use User Attributes from Entra ID in your AuthZ Policies, the only requirement I'm aware of (apart from the API permissions) is stated in the ISE UI.
"To use some Microsoft Entra ID Attributes in Cisco ISE authentication flows, you must have premium licenses in your Microsoft Entra ID account"
ISE uses specific API calls to gather this information from the Graph API. Custom attributes in Entra ID would require the use of API calls that ISE does not currently use, so that would not be possible at this time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide