10-14-2021 12:18 AM
Hi all,
We are currently running Cisco ISE 2.7 patch 4 but looking to upgrade to the latest supported release in the next few months.
We currently have a policy set that checks if a computer is in a specific group in Active Directory and if so puts it on a different VLAN.
Our IT strategy is to try and move away from on-premise AD to Azure AD.
Does anyone know or tried to replicate the same policy set but checking for an Azure AD group rather than native AD? I've had a search on the documentation but i haven't found anything that answers my question.
Thanks
10-14-2021 06:05 AM
Hi @InfraISE2020 ,
I did not test the following, but worth the shot:
1st, at Administration > Identity Management > External Identity Sources > LDAP ... create the AzureAD
2nd, click the AzureAD and at Groups, add the groups
3rd, at Policy > Policy Sets > select your policy and at Authorization Policy > Conditions:
Dictionary: AzureAD
Attributes: ExternalGroups
Equals: <added group>
Hope this helps !!!
10-14-2021 06:36 AM
10-14-2021 03:00 PM
There are multiple conversations in this Community related Azure AD, but the key point is that Azure AD is not the same as on-prem AD and does not directly support a direct RADIUS interface. See the following post for a similar discussion related to computer auth via AAD.
10-15-2021 02:56 AM - edited 10-15-2021 02:56 AM
Hi @Greg Gibbs
Thanks for the response.
We use certificates for 802.1x authentication and use AD to lookup computers in a particular group and assign them a certain VLAN.
What we was hoping to do was change the group lookup source from AD to AAD, do you think this is possible?
Our longer term strategy is to go AAD only however we would need a certificate solution for that before we could go cloud only anyway.
On a separate note - do you know if AAD can be used to log into Cisco ISE rather than on-premise AD?
Thanks
10-15-2021 10:40 PM
Hi @InfraISE2020,
For Admin Access using SAML, you'll have to be on v3.1. Check this in release notes, and also this configuration guide.
I would also like to know what are people doing and what is the recommended way of achieving this when customers are moving to AAD only? Any idea @Greg Gibbs?
I have a customer too wanting to migrate from hybrid to pure AAD. For authentication, we might be even fine (using some certificate deployment from Azure, or hybrid for PKI), but we are using AD group lookup for authorization. Customer is very concerned about migrating to ISE-AAD integration using ROPC, as this can cause huge issues in case of Internet link issues (outage, latency, anything else), as it is a global deployment (e.g. Internet outage of primary DC must not affect WiFi across the globe). Also, we already had issues due to increased latency (global deployment spread across the globe) in communication to AD, and I can imagine it can only be worse when using Internet-based service (specially with frequent authentications like on dot1x).
One way we are thinking is keep using cert-based authentication (as everything is fast there, no dependency of Internet), and use Intune MDM functionality for compliance check (and compliance check is defined in the Intune Conditional Access policy, could be if a user is a member of a group). We like this approach, as we can cache results (concern about frequent reauthentication/authorizations is solved), and we can easily bypass it (of course, with a certain price, but we also solved concern about connectivity outage). What do you think @Greg Gibbs, would this work?
Thanks
BR,
Milos
10-17-2021 02:50 PM
I haven't seen any large organisations that have moved to a pure AAD environment. At this time, I'm not really convinced that the industry
@Milos_Jovanovic, I'm not experienced with Intune so I'm not sure what level/scale of differentiation you can get from compliance policies. I'm not sure it would provide the level that can be provided by AD group lookups for supporting group-based policies if the goal was to have a least-privilege 'zero trust' architecture.
10-18-2021 12:07 AM
@Milos_Jovanovic - We had our environment setup with Intune integration for compliance checks, the problem was that Microsoft had an issue where they marked all devices as non-compliant resulting in devices not connecting to the corporate network, in the end we turned off the compliance checks.
@Greg Gibbs - Our strategy in the next 2 years is to go AAD only, I'm hopeful that ISE will be able to support this environment by then.
10-18-2021 12:25 AM
Thanks @Greg Gibbs.
I realized it is really hard to find experts to talk about this subject, as whole thing is very new, and no one has field experience. Even in fields of theory, no one is sure how this should work, and what are caveats when moving to production. I would really like to see some
@InfraISE2020This happens when you shift everything to someone else, where you don't have control. From ISE side, everything is fine, as it still relly on external info. Unfortunatelly, when received info is faulty, then you can't do much apart fix them where they originate, and that is not an easy task most often.
BR,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide