Re: Failed to send Certificate Auth request to rest ID store: Azure_En

mzarli · ‎12-16-2025

I am currently working on device-based authentication and authorization against Microsoft Entra ID–joined devices using Cisco ISE 3.4 Patch 4.

I followed the official Cisco documentation to configure the REST ID Store integration with Entra ID (including app registration, permissions, and policy configuration). Authentication using EAP-TLS succeeds, however device-based authorization using Entra ID device groups does not work.

The authentication and authorization policies are built as described in the documentation

On the Policy Services Node (PSN), I consistently see the following error during authorization:

cisco.cpm.restidstore.auth.RestAuthenticator - Failed to send Certificate Auth request to REST ID store: Azure_EntraID_ProDevice for user: DE-N81298.netz.tuev-nord.de

There are no corresponding errors in the RADIUS live logs, which makes troubleshooting difficult.

Any guidance or troubleshooting suggestions would be appreciated.

@Greg Gibbs

Greg Gibbs · ‎12-16-2025

This is likely indicating that the parser does not find the expected identity or pattern in the certificate to trigger the Graph API lookup for the device.

To troubleshoot, we would need much more detailed information:

What are the exact Device Query settings you have configured?
What regex string are you using to match the desired identity?
What are the exact values you have in the Device certificate (CN, SAN)?
What are the settings you have defined for the Certificate Authentication Profile?

You can see an example of this use case in my blog here to compare against your environment:
https://cs.co/ise-entraid#DeviceQuery

If you cannot share this information on this forum or this issue is urgent, please open a TAC case to investigate.

mzarli · ‎12-18-2025

Thank you for your replay

What are the exact Device Query settings you have configured?

Entra Device Name

What regex string are you using to match the desired identity?

I am using the predefined regex for SAN-DNS: ^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$

In the value field, I configured:

netz.tuev-nord.de

The certificate contains the following SAN-DNS name:

DeviceName.netz.tuev-nord.de

What are the exact values you have in the Device certificate (CN, SAN)?

The certificate contains the following SAN-DNS name:

DeviceName.netz.tuev-nord.de

What are the settings you have defined for the Certificate Authentication Profile?

Certificate Attribute SAN - DNS

Greg Gibbs · ‎12-18-2025

If the certificate value in the SAN field is "DNS Name=DeviceName.netz.tuev-nord.de", then your regex does not match that value.

You would need to use a regex like the one in my blog post that has been linked in both responses:

^DNS Name=([a-zA-Z0-9-]+).netz.tuev-nord.de

You need to use the validation to test the exact match of what is in the certificate field for one of your certificates with the regex string you are configuring.
If you update the regex, successfully test the validation with the real value in your certificate, but it is still not working, you'll need to open a TAC case to investigate. Keep in mind this is a very new and complex feature (code-wise), so there could still be some bugs in the parsing that need to be ironed out. I tested a number of permutations myself, but I couldn't cover everything.

mzarli · ‎12-19-2025

Thank you for the detailed explanation and for sharing your blog post — it was very helpful.

I understand your point about matching the exact value present in the certificate, including the full DNS Name= string, and using a regex such as:

^DNS Name=([a-zA-Z0-9-]+).netz.tuev-nord.de

After updating the regex accordingly, I can confirm that the validation succeeds and the previous errors are gone. So from a matching perspective, the regex itself is now working as expected.

However, in my case the remaining challenge is that the device name in Entra ID is stored without the FQDN (for example, DeviceName), while the certificate SAN contains the full FQDN (DeviceName.netz.tuev-nord.de). Even though the regex matches successfully, ISE still forwards the full FQDN to Entra ID, which results in no device match on the Entra side.

From my testing, it appears that the current Azure / Entra Device Query implementation in ISE uses regex only for validation/matching, and does not support extracting or using a capture group (such as just the hostname) as the device identity.

Do you know if using capture groups to retrieve only the device name is something that is planned or being considered for a future ISE release? This would be very helpful in environments where certificate identities and Entra device naming conventions don’t fully align.

Thanks again for your time and for the insights you’ve already shared.

Cristian Matei · ‎12-18-2025

Hi,

There could be several reasons. First, can you closely follow this implementation guide, as well as the troubleshooting area and paste the associated logs from the performed investigation?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

Additionally, ensure you meet the requirements specified in this document, for your ISE version and patch level, look for "Authentication/Authorization of an Entra Joined Device using EAP-TLS (ISE 3.4p4 or 3.5 and later)"

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635/show-comments/true#toc-hId-76840754

Afterwards, we'll have more relevant data to look into.

Thanks,

Cristian.

Failed to send Certificate Auth request to rest ID store: Azure_EntraI