cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
7
Helpful
4
Replies

Cisco ISE ROPC with Azure - EAP-TLS

Agung1007
Beginner
Beginner

Hi Team,

Greetings.

I have a question regarding Cisco ISE Integration with Azure Using ROPC - EAP TLS for WiFi User Authentication.

We are doing PoC with Our customer to Implement 802.1x/EAP-TLS with Azure (by using ROPC), based on documentation :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

from what i understand in the document, that ISE will become "intermediary" to match between Client certificate in client device and on the Azure:

Agung1007_0-1701327150475.png

 

Agung1007_1-1701328398336.png

 


The question is :

- who's generate the certificate for the User (like one above) ? is it Azure?

- If it Azure, what Service on Azure that we need to used/enable?

- In the documentation, it also mention:

Agung1007_3-1701328539455.png

what root CA & Intermediate CAs we need to upload to ISE? is it from Azure ?

- Do ISE keep/saved Certificate of the user generated by Azure? if it is, where ISE keep it ?

Thanks!

3 Accepted Solutions

Accepted Solutions

Your own internal PKI generate the certificates.  How you get the identity certificates to the machine is up to you.  Most customers I work with use ADCA and InTune for this.

View solution in original post

thomas
Cisco Employee
Cisco Employee

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

802.1X with EAP-TLS or TEAP to Azure AD.png

 

802.1X with EAP-TLS or TEAP to Azure AD - certificate.png

 

 

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

View solution in original post

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

View solution in original post

4 Replies 4

Your own internal PKI generate the certificates.  How you get the identity certificates to the machine is up to you.  Most customers I work with use ADCA and InTune for this.

thomas
Cisco Employee
Cisco Employee

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

802.1X with EAP-TLS or TEAP to Azure AD.png

 

802.1X with EAP-TLS or TEAP to Azure AD - certificate.png

 

 

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

==> Yes, we already try following method for EAP-TTLS (which is only using username+password).
for Windows Machine (10,11) & Android, we're able to use the method,
but unfortunately when we try on Apple Device (Macbook & iPhone), we cant use it EAP-TTLS (no option on Apple, for user to choose EAP-TTLS)

We try to explore another Way how to implement 802.1x with Azure that all device supported.

and now we try using EAP-TLS,

I'll try to check first from the video you've shared.

Thanks!

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: