Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
176
Views
1
Helpful
2
Replies

ExternalGroups in REST ID (Azure AD) in Authorization Policy

Go to solution
fabioairoldi
Level 1
Level 1

‎06-10-2025 08:02 AM

Hello team,

In ISE 3.2 (standalone node) have set up REST ID with Azure following all I found in this two documents

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

All steps seems to work fine, and the "test connection" from REST ID config page works fine.

Once I use the ExternalGroups as extenral identity source in a AUthorization Policy, however, I can see in the live logs the query for ExternalGroups

 

15048 Queried PIP - XXXXXX_Azure_AD.ExternalGroups

yet it still can't match user to group.

Is there something specific that I may be missing? The REST ID setup guide refers to 3.0, is there anything different in 3.2? I have REST rather than REST (ROPC) in the External Identity Sources setup page, but the contents are similar... I seems to be missing the 4.e configuration in ISE, "Username Suffix" I don't know if there's anything different in this version.

 

can anyone please help in this regard? Thanks

Fabio

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-10-2025 09:36 PM

If you're using EAP-TLS and User Authorization against Entra ID, the documents you shared should have everything you need.

For the EAP-TLS with REST ID, you do not need to enable ROPC on the App Registration. ROPC only applies to the EAP-TTLS(PAP)  or RAVPN use cases.

The Username Suffix is appended to the username by ISE before sending that to the Graph API for lookup when using the ROPC flow.

When using the EAP-TLS flow with ISE 3.2+ the full UPN must be provided in the certificate (CN or SAN) and used by ISE for identity (as defined in the Certificate Authentication Profile). ISE can only perform the lookup against the Graph API using the UPN.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-10-2025 09:36 PM

If you're using EAP-TLS and User Authorization against Entra ID, the documents you shared should have everything you need.

For the EAP-TLS with REST ID, you do not need to enable ROPC on the App Registration. ROPC only applies to the EAP-TTLS(PAP)  or RAVPN use cases.

The Username Suffix is appended to the username by ISE before sending that to the Graph API for lookup when using the ROPC flow.

When using the EAP-TLS flow with ISE 3.2+ the full UPN must be provided in the certificate (CN or SAN) and used by ISE for identity (as defined in the Certificate Authentication Profile). ISE can only perform the lookup against the Graph API using the UPN.

Go to solution
fabioairoldi
Level 1
Level 1
In response to Greg Gibbs

‎06-10-2025 11:43 PM - edited ‎06-10-2025 11:44 PM

That's actually it! I was checking against an attribute other than UPN, by changing the certificate structure and checking against UPN it now works, thanks!

0 Helpful
Customers Also Viewed These Support Documents