EAP Chaining Both Authz Rule Not Matching

MSJ1 · ‎12-01-2025

Hello Greg,

This looks interesting to me. For Authz rule it never matches the 1st rule. After device is booted and before user logged in i see at ISE EAP Chaining result is User Failed but Machine Succeeded & it matches the 2nd Authz rule and then when user logs in i see User Succeeded and Machine succeeded and matching the same Authz rule.

I should see 2 Authz match - Can you advise what I am missing ?

AuthZ Policy

Greg Gibbs · ‎12-01-2025

The policy looks pretty basic, so something is not matching in the top rule.

I would assume it's the user group match, but you can confirm that by removing that matching condition.

At that point, you would need to look at the detailed Live Logs to confirm that the User credential is being sent in UPN format, that ISE is using that credential for identity, and that the membership group ID matches what you see in Entra ID.

If all of the above is true, then you might need to open a TAC case to investigate further why the condition is not matching.

MSJ1 · ‎12-01-2025

From the REST ID Entra ID Integration - I removed - User Attribute - onPremisesUserPrincipalName and added UserPrincipalName , now in the failed log I see UPN field but still not working

Greg Gibbs · ‎12-02-2025

There is nowhere near enough detail here to provide any meaningful assistance, nor is there any indication that the prior suggestions have been followed. See How to Ask the Community for Help.

Call TAC to investigate

MSJ1 · ‎12-03-2025

@Greg Gibbs after removing the Entra AD Group it matches user succeeded and machine succeeded policy when user logs in. Interesting is if I call an Old AD Group where the same user is it matches the user user succeeded and machine succeeded policy.

For some reason ISE is not able to lookup the user when a newly created Entra Group is called as part of user Authz rule.

Both working and non working Entra group I can add from REST ID Section >> User group and User Attribute is UPN.

in the debug log it shows - it is not able to fetch the non working group.

My understanding it matches this bug - https://bst.cisco.com/quickview/bug/CSCwd34467 , however here ise version is 3.5

Greg Gibbs · ‎12-04-2025

"For some reason ISE is not able to lookup the user when a newly created Entra Group is called as part of user Authz rule."

This sounds more like some sort of role/permission issue on the group or something else on the Entra side. I use Entra only groups (as opposed to hybrid AD groups) all the time and have never seen this behaviour.

I would suggest confirming that these are Security Groups (not Microsoft 365 Groups), confirm if there is any difference in the assignment type (direct, dynamic, etc), and review the relevant logs on the Entra ID side.

You could try opening a TAC case, but considering you've already looked at the ISE debug logs, they may suggest you open a case with Microsoft to check the Entra side anyway.

MSJ1 · ‎12-01-2025

@Greg Gibbs

When I disable rule 2 from the screenshot and as I said it does not match the rule 1 and it matches deny authz on that log I see

on PremisesUserPrincipalName is BLANK

But on same Auth Fail log I see "User Succeeded and Machine Succeeded"

in CAP for field - Use Identity From - I am using Certificate Attribute - Subject Common Name. From common name it should be able to read UPN.

Any more clue plz ?

Cristian Matei · ‎12-04-2025

Hi,

Your authorization policies matching criteria don't look right. Follow this document and if you still don't have it working afterwards, past print-screens of ISE Authentication Details for both machine and user/machine steps.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Thanks,

Cristian.