cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5942
Views
20
Helpful
7
Replies

ISE and Azure AD

boclabor
Cisco Employee
Cisco Employee

I would like to ask a question about ISE and Azure AD. Today ISE use’s traditional AD DC controllers for account lookup and attributes to measure the user with for network access. The company is moving to Azure AD in the cloud. There will still be on premises AD controllers specifically where ever there is a PSN. For obvious reasons that’s takes care of any latency problems. The differences is the on premises AD controllers will not contain any of the user’s computer objects. Does an on prem AD controller that gets its feed via the AD connector from AZURE AD and contains Zero computer objects affect ISE in any way?

3 Accepted Solutions

Accepted Solutions

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

The Azure AD Connector running as a Service on the on-prem AD can receive objects from Azure. This means you create accounts in Azure portal and then they appear on the on-prem server. The opposite is true too - you can create objects on-prem and have them sync'd to Azure AD.

Not sure what you mean by "Zero computer objects"? If you're authenticating users via AD then I suppose you don't need the computer objects. But if you're doing machine authentication then I would argue that those accounts should reside on the on-prem AD servers??? It's been a while since I set up our Sync, but perhaps you can also sync machine objects to Azure AD.

 

View solution in original post

No, machine authentication requires a computer object in AD, and a successful directory user authentication to that machine. It is specifically enabled in the ISE AD connector on the advanced tab.  Machine certificates would be used for (typically) EAP-TLS authentication outside of Active Directory.

View solution in original post

Let's define "integrate with" : in terms of an external identity source, ISE can be configured with an on-prem Active Directory Controller using the AD Integration or LDAP. If you use LDAP, then you're limited in terms of the password authentication that LDAP will support. There is a table in the User Guide that shows that. 

If you hosted your AD controllers in the public cloud then you could in theory integrate ISE with that too (over an AWS VPC etc.) - in that case your data centre lives in the public cloud and your ISE server may be on-prem - some hybrid arrangement.

If you think of "cloud-native" Azure-AD, then ISE does not have an integration for that. But you could use secure LDAP to tunnel your LDAP requests from on-prem to the public cloud. But the results are not the same as doing ISE<->AD integration (see table link above). 

 

It certainly would be nice to have a cloud native integration. I would recommend sending a feature request via the Feedback link to the PM.

 

regards

 

View solution in original post

7 Replies 7

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

The Azure AD Connector running as a Service on the on-prem AD can receive objects from Azure. This means you create accounts in Azure portal and then they appear on the on-prem server. The opposite is true too - you can create objects on-prem and have them sync'd to Azure AD.

Not sure what you mean by "Zero computer objects"? If you're authenticating users via AD then I suppose you don't need the computer objects. But if you're doing machine authentication then I would argue that those accounts should reside on the on-prem AD servers??? It's been a while since I set up our Sync, but perhaps you can also sync machine objects to Azure AD.

 

Thanks for the reply.  

 

They are using machine based certificates. Is that the same as machine authentication? And if not what would machine authentication look like in ISE?

No, machine authentication requires a computer object in AD, and a successful directory user authentication to that machine. It is specifically enabled in the ISE AD connector on the advanced tab.  Machine certificates would be used for (typically) EAP-TLS authentication outside of Active Directory.

Thanks for the machine object clarification.

 

Will ISE integrate with Azure AD with on prem ISE and how. For example is that with on prem AD controllers or ISE can talk directly with Azure AD in the cloud?  I have heard for some time ISE is on the cusp of integrating with Azure AD. 

Let's define "integrate with" : in terms of an external identity source, ISE can be configured with an on-prem Active Directory Controller using the AD Integration or LDAP. If you use LDAP, then you're limited in terms of the password authentication that LDAP will support. There is a table in the User Guide that shows that. 

If you hosted your AD controllers in the public cloud then you could in theory integrate ISE with that too (over an AWS VPC etc.) - in that case your data centre lives in the public cloud and your ISE server may be on-prem - some hybrid arrangement.

If you think of "cloud-native" Azure-AD, then ISE does not have an integration for that. But you could use secure LDAP to tunnel your LDAP requests from on-prem to the public cloud. But the results are not the same as doing ISE<->AD integration (see table link above). 

 

It certainly would be nice to have a cloud native integration. I would recommend sending a feature request via the Feedback link to the PM.

 

regards

 

Arnie, If you have current implementation with on Prem AD, can you add Azure AD to the mix if starts issuing certificates to machines and be seen and validated.

The only current method for authenticating 802.1x against AzureAD requires using ISE 3.0 and ROPC.

See the Configure ISE 3.0 REST ID with Azure Active Directory TechNote for more information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: