Cisco ISE Policy Sets Azure Integration

InfraISE2020 · ‎10-14-2021

Hi all,

We are currently running Cisco ISE 2.7 patch 4 but looking to upgrade to the latest supported release in the next few months.

We currently have a policy set that checks if a computer is in a specific group in Active Directory and if so puts it on a different VLAN.

Our IT strategy is to try and move away from on-premise AD to Azure AD.

Does anyone know or tried to replicate the same policy set but checking for an Azure AD group rather than native AD? I've had a search on the documentation but i haven't found anything that answers my question.

Thanks

Marcelo Morais · ‎10-14-2021

Hi @InfraISE2020 ,

I did not test the following, but worth the shot:

1st, at Administration > Identity Management > External Identity Sources > LDAP ... create the AzureAD

2nd, click the AzureAD and at Groups, add the groups

3rd, at Policy > Policy Sets > select your policy and at Authorization Policy > Conditions:

Dictionary: AzureAD

Attributes: ExternalGroups

Equals: <added group>

Hope this helps !!!

InfraISE2020 · ‎10-14-2021

Hi Marcelo,
Thanks for the reply.
Unfortunately we're still running an older version of ISE (v2.7) so I cannot test this at the moment, is this something you could test for me in your environment?
Even if just a simple test as if I a user is in a particular AAD group then they get access to vlan x?
Thanks in advance.

Greg Gibbs · ‎10-14-2021

There are multiple conversations in this Community related Azure AD, but the key point is that Azure AD is not the same as on-prem AD and does not directly support a direct RADIUS interface. See the following post for a similar discussion related to computer auth via AAD.

https://community.cisco.com/t5/network-access-control/machine-dot1x-authentication-to-work-with-both-on-prem-and-azure/td-p/4398922

InfraISE2020 · ‎10-15-2021

Hi @Greg Gibbs

Thanks for the response.

We use certificates for 802.1x authentication and use AD to lookup computers in a particular group and assign them a certain VLAN.

What we was hoping to do was change the group lookup source from AD to AAD, do you think this is possible?

Our longer term strategy is to go AAD only however we would need a certificate solution for that before we could go cloud only anyway.

On a separate note - do you know if AAD can be used to log into Cisco ISE rather than on-premise AD?

Thanks

Milos_Jovanovic · ‎10-15-2021

Hi @InfraISE2020,

For Admin Access using SAML, you'll have to be on v3.1. Check this in release notes, and also this configuration guide.

I would also like to know what are people doing and what is the recommended way of achieving this when customers are moving to AAD only? Any idea @Greg Gibbs?

I have a customer too wanting to migrate from hybrid to pure AAD. For authentication, we might be even fine (using some certificate deployment from Azure, or hybrid for PKI), but we are using AD group lookup for authorization. Customer is very concerned about migrating to ISE-AAD integration using ROPC, as this can cause huge issues in case of Internet link issues (outage, latency, anything else), as it is a global deployment (e.g. Internet outage of primary DC must not affect WiFi across the globe). Also, we already had issues due to increased latency (global deployment spread across the globe) in communication to AD, and I can imagine it can only be worse when using Internet-based service (specially with frequent authentications like on dot1x).

One way we are thinking is keep using cert-based authentication (as everything is fast there, no dependency of Internet), and use Intune MDM functionality for compliance check (and compliance check is defined in the Intune Conditional Access policy, could be if a user is a member of a group). We like this approach, as we can cache results (concern about frequent reauthentication/authorizations is solved), and we can easily bypass it (of course, with a certain price, but we also solved concern about connectivity outage). What do you think @Greg Gibbs, would this work?

Thanks

BR,

Milos

Greg Gibbs · ‎10-17-2021

I haven't seen any large organisations that have moved to a pure AAD environment. At this time, I'm not really convinced that the industry

@Milos_Jovanovic, I'm not experienced with Intune so I'm not sure what level/scale of differentiation you can get from compliance policies. I'm not sure it would provide the level that can be provided by AD group lookups for supporting group-based policies if the goal was to have a least-privilege 'zero trust' architecture.

InfraISE2020 · ‎10-18-2021

@Milos_Jovanovic - We had our environment setup with Intune integration for compliance checks, the problem was that Microsoft had an issue where they marked all devices as non-compliant resulting in devices not connecting to the corporate network, in the end we turned off the compliance checks.

@Greg Gibbs - Our strategy in the next 2 years is to go AAD only, I'm hopeful that ISE will be able to support this environment by then.

Milos_Jovanovic · ‎10-18-2021

Thanks @Greg Gibbs.

I realized it is really hard to find experts to talk about this subject, as whole thing is very new, and no one has field experience. Even in fields of theory, no one is sure how this should work, and what are caveats when moving to production. I would really like to see some

@InfraISE2020This happens when you shift everything to someone else, where you don't have control. From ISE side, everything is fine, as it still relly on external info. Unfortunatelly, when received info is faulty, then you can't do much apart fix them where they originate, and that is not an easy task most often.

BR,

Milos