11-18-2019 02:35 PM - edited 11-18-2019 02:37 PM
I would like to ask a question about ISE and Azure AD. Today ISE use’s traditional AD DC controllers for account lookup and attributes to measure the user with for network access. The company is moving to Azure AD in the cloud. There will still be on premises AD controllers specifically where ever there is a PSN. For obvious reasons that’s takes care of any latency problems. The differences is the on premises AD controllers will not contain any of the user’s computer objects. Does an on prem AD controller that gets its feed via the AD connector from AZURE AD and contains Zero computer objects affect ISE in any way?
Solved! Go to Solution.
11-18-2019 02:47 PM
The Azure AD Connector running as a Service on the on-prem AD can receive objects from Azure. This means you create accounts in Azure portal and then they appear on the on-prem server. The opposite is true too - you can create objects on-prem and have them sync'd to Azure AD.
Not sure what you mean by "Zero computer objects"? If you're authenticating users via AD then I suppose you don't need the computer objects. But if you're doing machine authentication then I would argue that those accounts should reside on the on-prem AD servers??? It's been a while since I set up our Sync, but perhaps you can also sync machine objects to Azure AD.
11-19-2019 07:43 AM
No, machine authentication requires a computer object in AD, and a successful directory user authentication to that machine. It is specifically enabled in the ISE AD connector on the advanced tab. Machine certificates would be used for (typically) EAP-TLS authentication outside of Active Directory.
11-19-2019 01:37 PM
Let's define "integrate with" : in terms of an external identity source, ISE can be configured with an on-prem Active Directory Controller using the AD Integration or LDAP. If you use LDAP, then you're limited in terms of the password authentication that LDAP will support. There is a table in the User Guide that shows that.
If you hosted your AD controllers in the public cloud then you could in theory integrate ISE with that too (over an AWS VPC etc.) - in that case your data centre lives in the public cloud and your ISE server may be on-prem - some hybrid arrangement.
If you think of "cloud-native" Azure-AD, then ISE does not have an integration for that. But you could use secure LDAP to tunnel your LDAP requests from on-prem to the public cloud. But the results are not the same as doing ISE<->AD integration (see table link above).
It certainly would be nice to have a cloud native integration. I would recommend sending a feature request via the Feedback link to the PM.
regards
11-18-2019 02:47 PM
The Azure AD Connector running as a Service on the on-prem AD can receive objects from Azure. This means you create accounts in Azure portal and then they appear on the on-prem server. The opposite is true too - you can create objects on-prem and have them sync'd to Azure AD.
Not sure what you mean by "Zero computer objects"? If you're authenticating users via AD then I suppose you don't need the computer objects. But if you're doing machine authentication then I would argue that those accounts should reside on the on-prem AD servers??? It's been a while since I set up our Sync, but perhaps you can also sync machine objects to Azure AD.
11-19-2019 05:30 AM
Thanks for the reply.
They are using machine based certificates. Is that the same as machine authentication? And if not what would machine authentication look like in ISE?
11-19-2019 07:43 AM
No, machine authentication requires a computer object in AD, and a successful directory user authentication to that machine. It is specifically enabled in the ISE AD connector on the advanced tab. Machine certificates would be used for (typically) EAP-TLS authentication outside of Active Directory.
11-19-2019 11:32 AM
Thanks for the machine object clarification.
Will ISE integrate with Azure AD with on prem ISE and how. For example is that with on prem AD controllers or ISE can talk directly with Azure AD in the cloud? I have heard for some time ISE is on the cusp of integrating with Azure AD.
11-19-2019 01:37 PM
Let's define "integrate with" : in terms of an external identity source, ISE can be configured with an on-prem Active Directory Controller using the AD Integration or LDAP. If you use LDAP, then you're limited in terms of the password authentication that LDAP will support. There is a table in the User Guide that shows that.
If you hosted your AD controllers in the public cloud then you could in theory integrate ISE with that too (over an AWS VPC etc.) - in that case your data centre lives in the public cloud and your ISE server may be on-prem - some hybrid arrangement.
If you think of "cloud-native" Azure-AD, then ISE does not have an integration for that. But you could use secure LDAP to tunnel your LDAP requests from on-prem to the public cloud. But the results are not the same as doing ISE<->AD integration (see table link above).
It certainly would be nice to have a cloud native integration. I would recommend sending a feature request via the Feedback link to the PM.
regards
05-06-2021 11:01 AM
Arnie, If you have current implementation with on Prem AD, can you add Azure AD to the mix if starts issuing certificates to machines and be seen and validated.
05-06-2021 06:14 PM
The only current method for authenticating 802.1x against AzureAD requires using ISE 3.0 and ROPC.
See the Configure ISE 3.0 REST ID with Azure Active Directory TechNote for more information.
04-25-2023 05:54 AM
Hi Greg Gibbs,
I want to connect mi cisco ise 2.6 to Azure AD, is it possible ? If its possible could you share any cisco reference about that ?
I want my laptop join AD via Cisco ISE.
Regards
Serge
04-25-2023 09:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide