07-24-2020 10:07 PM
Hi,
I would like to know if ISE 2.7 now support integration with MS Azure AD, and to which extent (which options are currently supported and working; which options are still missing ) ?
Can you please provide some technical reference / walkthrough to test integration between the 2 ?
If not, are there any plan to have this implemented in the near future?
Basically I have the following scenario;
Company-owned Laptops are managed via MS-Intune and joined to Azure AD.
The company on-premises AD is not 1:1 synched with the Azure AD (meaning, those Computers are not listed under the on-premise Company AD and If I were to query the Internal AD I do not get any match).
Our current ISE Setup is using the Company Internal AD as External Identity Source for User and Endpoint Lookup.
VLAN assignment (Authorization Profile) is based on LDAP Group membership.
The Laptops connect to the Infrastructure (and gets authorized by ISE) by means of Anyconnect VPN as well as SSID 802.1X - in both case using i.e. certificate based / machine based authentication.
The above described scenario is working flawlessly with the On-prem AD.
Would it be possible to replicate the same scenario using MS Azure AD as external Identity Source ?
Thanks,
07-24-2020 10:46 PM
https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/td-p/3729550
https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/m-p/3949964
M.
07-24-2020 11:18 PM
Hi, thanks for the Links. I actually already found them in the ISE forum and went through them.
My purpose was to know if there has been in the meantime any progress internally within the ISE Development and Product Team on this topic.
Is the info that you posted the most recent at this time ? Can you please provide a feedback ?
Thanks,
Best Regards,
07-26-2020 04:26 PM
There are currently no additional capabilities around ISE & Azure AD integration than those provided in the referenced links. Azure AD does not support LDAP so ISE only directly integrates with AAD via SAML. There is no currently available industry mechanism for authenticating 802.1x against a SAML IdP, so ISE can only authenticate portal-based flows against AAD.
Future solution development and roadmap are not discussed on this public forum.
07-26-2020 11:29 PM
Hi - thanks for the feedback.
Concerning your statement: "Azure AD does not support LDAP so ISE only directly integrates with AAD via SAML."
I believe this is not 100% correct - I quickly googled the topic and actually both LDAP and LDAPS (on a virtual network as well as over Public Internet access) are available under AADS (Azure AD Domain Services).
Many Blogs and Internet resources cover this support.
I believe It would then be possible to authenticate 802.1X in ISE against Azure AD DS LDAP Groups - right ?
Thanks
07-26-2020 11:56 PM
If there is a way to directly expose an LDAP or LDAPS interface from AAD that ISE can communicate with, it might be possible to authenticate an endpoint via EAP-TLS against that external LDAP ID store (PEAP-MSCHAPv2 endpoints cannot be authenticated against LDAP). I have not see this example documented anywhere, so I suspect it's not as easy as it sounds.
The only option I have seen proposed would be to use an NPS server as a mediator between ISE and AAD. ISE would proxy the RADIUS request to NPS and NPS would translate and forward the request to AAD.
I'm not aware that either of the above options have been tested/validated by Cisco, however, so you should test them carefully before looking to implement either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide