We have integrated Cisco ISE with Azure AD (Entra ID) via ROPC. Ise version 3.2 patch 2.
When an Azure AD user logs-in authentication is succesfull.
An Authorization policy is used to deny any user who does not belong to particular AD group.
Users are getting denied by this Auth policy even if they belongs to the group.
We changed deny access in Authorization policy to Permit access, still that policy is not being used. ISE picks the next policy.
We checked with all policy conditions - Equals, Contains, In, Not in etc still policy is not working.
Attaching a screenshot of the authorization policy.
Did you verify the groups are being returned as expected when you tested authentication? Like shown below:
It can also be an issue if for any reason the group SID changed on the Azure AD (Entra ID) side and ISE did not realize it. In such a case you can have the same group name on both sides but actually not be referring to the same object. In such cases you have to remove and re-add the group in ISE.
The 'Test User Authentication' is only relevant to traditional AD. The Entra ID integration using RESTID/ROPC, so that tool is not relevant to this use case.
I'm using ISE 3.2p4 in my lab and the RESTID/ROPC flow works as expected with both authorization policies matching on NOT_EQUALS and EQUALS conditions.
Example:
In the detailed logs, I can see both the Monitor and Enabled rule being hit.
If you haven't done so already, I would suggest updating to patch 4 and checking your setup against this guide.
If the 'Test Connection' succeeds and you are able to retrieve the groups and attributes in the REST connection, then it should work. Also make sure that the Username suffix is configured correctly and that you are matching on a Security group type that is not nested (I don't believe ISE supports nested or O365 EntraID groups).
