05-31-2022 04:23 PM
Hi All,
Does anyone have any experience with ISE and Azure AD that can give me some pointers?
I am currently designing an ISE deployment for a customer that uses only Azure AD. They want to authenticate and authorise corporate Windows devices against Azure which I dont think will work as Azure AD does store computer accounts like AD. In addition the ISE 3.1 integration with Azure uses ROPC which currently only supports EAL-TTLS with PAP as the inner method which is insecure compared to EAL-TLS. EAP-TTLS uses Azure AD username/password so again no possibility of authenticating the computer itself
What is required to support EAP-TLS computer authentication in this scenario? Will the customer need to enable Azure AD Active Directory Services to support traditional Windows domain join functionality in ISE?
As an alternative to integrating ISE with Azure AD all together, I think that it will be possible to use mutual EAP-TLS authentication between ISE and the computer without any type of lookup in AD which means no authorisation.
How have other approached this?
Thanks all
Solved! Go to Solution.
05-31-2022 04:57 PM - edited 05-31-2022 04:59 PM
Azure AD != AD
Yes, for 3.1 the customer will need to deploy an on-premise AD environment that can then be linked to Azure AD.
Your second statement is also correct, if you do not need to do any AD lookups, then you can always just perform EAP-TLS with no AD verification/lookup.
I would also suggest you/your customer attend the "What's new in ISE 3.2" webinars. You may be pleasantly surprised with what is coming
https://learningnetwork.cisco.com/s/cisco-ise-training-videos
05-31-2022 09:24 PM
Yes, it is possible. See some of the following related documents:
Cisco ISE Integration with Mobile Device Management (MDM)
Integrate MDM and UEM Servers with Cisco ISE
There is also an older session on "Mobile Device Management with ISE" available at https://cs.co/ise-webinars as a starting point.
08-20-2022 08:22 AM
14:42 Overview of Microsoft Azure Active Directory
15:15 802.1X with OAuth-ROPC to Azure AD in ISE 3.0
20:02 EAP-TLS & TEAP Authorization with Microsoft Azure Active Directory
21:52 Demo: EAP-TLS Certificate based Authorization with Azure Active Directory
05-31-2022 04:57 PM - edited 05-31-2022 04:59 PM
Azure AD != AD
Yes, for 3.1 the customer will need to deploy an on-premise AD environment that can then be linked to Azure AD.
Your second statement is also correct, if you do not need to do any AD lookups, then you can always just perform EAP-TLS with no AD verification/lookup.
I would also suggest you/your customer attend the "What's new in ISE 3.2" webinars. You may be pleasantly surprised with what is coming
https://learningnetwork.cisco.com/s/cisco-ise-training-videos
05-31-2022 06:39 PM
Hi @ahollifield
Thats great, thanks for the quick response.
Also instead of doing any type of AD lookups for the client, is it possible to check the status of the client in an MDM integration such as Intune (e.g. is the client enrolled and compliant?) I have not worked with ISE and MDM integration before so not sure if this is possible or not.
05-31-2022 09:24 PM
Yes, it is possible. See some of the following related documents:
Cisco ISE Integration with Mobile Device Management (MDM)
Integrate MDM and UEM Servers with Cisco ISE
There is also an older session on "Mobile Device Management with ISE" available at https://cs.co/ise-webinars as a starting point.
08-19-2022 01:41 AM
Hello,
i am in the same situation. On Prem ISE with an upcoming cloud only Azure AD.
Is there any update on your case?
Could you resolve the "problem"?
Greetings Michael
08-19-2022 08:04 AM
Did you watch the webinars?
08-20-2022 08:22 AM
14:42 Overview of Microsoft Azure Active Directory
15:15 802.1X with OAuth-ROPC to Azure AD in ISE 3.0
20:02 EAP-TLS & TEAP Authorization with Microsoft Azure Active Directory
21:52 Demo: EAP-TLS Certificate based Authorization with Azure Active Directory
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide