Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
8
Helpful
4
Replies

Cisco ISE ROPC with Azure - EAP-TLS

Go to solution
Agung1007
Level 1
Level 1

‎11-29-2023 11:24 PM

Hi Team,

Greetings.

I have a question regarding Cisco ISE Integration with Azure Using ROPC - EAP TLS for WiFi User Authentication.

We are doing PoC with Our customer to Implement 802.1x/EAP-TLS with Azure (by using ROPC), based on documentation :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

from what i understand in the document, that ISE will become "intermediary" to match between Client certificate in client device and on the Azure:

Agung1007_0-1701327150475.png

 

Agung1007_1-1701328398336.png

 


The question is :

- who's generate the certificate for the User (like one above) ? is it Azure?

- If it Azure, what Service on Azure that we need to used/enable?

- In the documentation, it also mention:

Agung1007_3-1701328539455.png

what root CA & Intermediate CAs we need to upload to ISE? is it from Azure ?

- Do ISE keep/saved Certificate of the user generated by Azure? if it is, where ISE keep it ?

Thanks!

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎11-30-2023 05:30 AM

Your own internal PKI generate the certificates.  How you get the identity certificates to the machine is up to you.  Most customers I work with use ADCA and InTune for this.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-30-2023 10:12 AM

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

802.1X with EAP-TLS or TEAP to Azure AD.png

 

802.1X with EAP-TLS or TEAP to Azure AD - certificate.png

 

 

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Agung1007

‎12-02-2023 07:54 PM

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

View solution in original post

4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎11-30-2023 05:30 AM

Your own internal PKI generate the certificates.  How you get the identity certificates to the machine is up to you.  Most customers I work with use ADCA and InTune for this.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-30-2023 10:12 AM

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

802.1X with EAP-TLS or TEAP to Azure AD.png

 

802.1X with EAP-TLS or TEAP to Azure AD - certificate.png

 

 

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

Go to solution
Agung1007
Level 1
Level 1
In response to thomas

‎12-01-2023 11:13 PM

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

==> Yes, we already try following method for EAP-TTLS (which is only using username+password).
for Windows Machine (10,11) & Android, we're able to use the method,
but unfortunately when we try on Apple Device (Macbook & iPhone), we cant use it EAP-TTLS (no option on Apple, for user to choose EAP-TTLS)

We try to explore another Way how to implement 802.1x with Azure that all device supported.

and now we try using EAP-TLS,

I'll try to check first from the video you've shared.

Thanks!

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Agung1007

‎12-02-2023 07:54 PM

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

Customers Also Viewed These Support Documents