Solved: Cisco ISE ROPC with Azure - EAP-TLS

Agung1007 · ‎11-29-2023

Hi Team,

Greetings.

I have a question regarding Cisco ISE Integration with Azure Using ROPC - EAP TLS for WiFi User Authentication.

We are doing PoC with Our customer to Implement 802.1x/EAP-TLS with Azure (by using ROPC), based on documentation :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

from what i understand in the document, that ISE will become "intermediary" to match between Client certificate in client device and on the Azure:

The question is :

- who's generate the certificate for the User (like one above) ? is it Azure?

- If it Azure, what Service on Azure that we need to used/enable?

- In the documentation, it also mention:

what root CA & Intermediate CAs we need to upload to ISE? is it from Azure ?

- Do ISE keep/saved Certificate of the user generated by Azure? if it is, where ISE keep it ?

Thanks!

ahollifield · ‎11-30-2023

Your own internal PKI generate the certificates. How you get the identity certificates to the machine is up to you. Most customers I work with use ADCA and InTune for this.

View solution in original post

thomas · ‎11-30-2023

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

View solution in original post

Greg Gibbs · ‎12-02-2023

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune

View solution in original post

ahollifield · ‎11-30-2023

Your own internal PKI generate the certificates. How you get the identity certificates to the machine is up to you. Most customers I work with use ADCA and InTune for this.

MSJ1 · ‎10-30-2025

Hi @ahollifield @Greg Gibbs @thomas

Agree that Internal PKI can generate the cert. Who can generate the CSR for PKI to create the cert ?

and also can you share the certificate parameter ( client auth , server auth , EKU , Cipherment etc ) need to be used during csr creation for user or device cert ?

Greg Gibbs · ‎10-30-2025

The CSR generation is all part of the SCEP flow. This is typically done using an MDM or some other SCEP proxy solution.

The options for identity lookup (user=UPN, device=DeviceName or DeviceID) are all discussed in my blog previously shared (https://cs.co/ise-entraid). You would need to look at how you craft the certificates to suit your specific environment.

Only client auth is typically required for client-side certificates. You can see an example in my example using Intune and MS Cloud PKI.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-cloud-pki/ta-p/5198483

thomas · ‎11-30-2023

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

EAP-TLS user certificate-based authentication is authenticated by ISE based on any certificate authentication profile then an Azure AD group lookup is done separately for the User Principle Name (UPN) in the certificate. See Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

Consider watching our ISE Webinar that covers this topic and more:

▷ ISE Integration with Intune MDM 2022/08/02

28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2

Agung1007 · ‎12-01-2023

The OAuth-ROPC method is only used for username+password based authentication over EAP-TTLS+PAP.

==> Yes, we already try following method for EAP-TTLS (which is only using username+password).
for Windows Machine (10,11) & Android, we're able to use the method,
but unfortunately when we try on Apple Device (Macbook & iPhone), we cant use it EAP-TTLS (no option on Apple, for user to choose EAP-TTLS)

We try to explore another Way how to implement 802.1x with Azure that all device supported.

and now we try using EAP-TLS,

I'll try to check first from the video you've shared.

Thanks!

Greg Gibbs · ‎12-02-2023

Azure does not currently have a native cloud-based PKI solution. The certificates would need to be enrolled for the users by Intune integrated with either your on-prem Active Directory Certificate Services (ADCS) or another solution like SCEPman.

You might also review this blog discussion the available options and supported flows with ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune