Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1714
Views
22
Helpful
4
Replies

ISE 3.2 EAP-TLS Azure AD permission error

Go to solution
seankin
Level 1
Level 1

‎11-23-2022 07:21 AM

We are implementing Azure AD EAP-TLS authentication on ISE 3.2 using the following guide: 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

We have hit an issue where in the rest-id-store.log we are getting the following error (Insufficient privileges to complete the operation):

,799 ERROR [http-nio-9601-exec-5][[]] cisco.ise.ropc.utilities.RestUtility -::::- Error response in 'GET' request. Status - '403'. Error - '{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation

In the ISE 3.2 demonstration video, the same error occurs and the presentor is unable to get it working (Time 29.40) and does not provide any resolution:

https://www.youtube.com/watch?v=857hIkxkEAU

Has anyone managed to get this working and solve the 403 permission error or does EAP-TLS on 3.2 not work?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-23-2022 08:06 AM

Yes, I included the solution in the Show Notes of that YouTube video  8-)

The permissions problem in the demo was 1 additional API Permission in Azure Active Directory was required to make it work. The 3 required permissions are
- Group.Read.All
- User.Read
- User.Read.All  ◁◁◁ This was missing!

ISE 3.2 - Azure AD Permissions for EAP-TLS.png

View solution in original post

4 Replies 4

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-23-2022 08:06 AM

Yes, I included the solution in the Show Notes of that YouTube video  8-)

The permissions problem in the demo was 1 additional API Permission in Azure Active Directory was required to make it work. The 3 required permissions are
- Group.Read.All
- User.Read
- User.Read.All  ◁◁◁ This was missing!

ISE 3.2 - Azure AD Permissions for EAP-TLS.png

Go to solution
seankin
Level 1
Level 1
In response to thomas

‎11-23-2022 08:07 AM

Brilliant! Thank you

Go to solution
Jan Junker
Level 1
Level 1

‎03-16-2023 07:30 AM

Hi there. This is EAP-TLS with Azure AD users. Would this also work with Azure AD computer accounts as well?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Jan Junker

‎03-16-2023 02:04 PM

There is no such thing as an Azure AD 'Computer' account. See this document for more information.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

0 Helpful
Customers Also Viewed These Support Documents