cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11236
Views
2
Helpful
7
Replies

ISE Azure AD ?

Cristian Venegas
Cisco Employee
Cisco Employee

Folks,

 

We’ve got a customer who is adopting Azure AD and has operations in several countries.

 

Their use case includes 802.1X for wired/wireless, VPN and Guest services.

 

As far as i know, we currently support Azure AD with SAML, which could take care of the Guest Services and VPN part of the request (https://community.cisco.com/t5/security-documents/notes-on-azure-ad-as-saml-idp/ta-p/3644255).           However, for 802.1X wired/wireless services, it is my understanding that we officially do not support it yet (https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/td-p/3805022).  I’ve seen some notes on the possibility about using LDAPS, but this approach has limitations (ie: PEAP-MSCHAP-v2).  Other folks advise to join MS AD directly.     It is my understanding that ISE on Public Cloud is on the roadmap as well.

 

Please, any advise, experiences, ideas, official take on on this or roadmap information is more than welcome.

 

Thank you.

 

Regards,

 

.:|:.:|:.  Cristian Venegas |  Technical Solutions Architect - Security | +56 (9) 9632 1494 | crvenega@cisco.com 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.

Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm

View solution in original post

7 Replies 7

Greg Gibbs
Cisco Employee
Cisco Employee

The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.

Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm

Has something changed in the last 3 years? is  ROPC still not recommended for production?

Thanks

ROPC still has significant performance limitations (max 50 authentications per second) and user experience issues. See this blog for available options related to Entra ID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

 

surasky
Cisco Employee
Cisco Employee

Hi Surasky

 

We are planning to Implement - >  ( 802.1X + MAB ) For Wired and Wireless Corporate user on ISE 3.0 with Azure AD using ROPC.

 

We are lookin here Implementation guide.

 

Requesting to you please share.

 

Regards

PP

 

Hi

See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

There is only limited 802.1X Support, and ROPC is only supported using EAP-TTLS with PAP as the inner method (Clear Text). This means support for somewhat unsecure username/password, it's in clear text but it is encapsulated in the EAP-TTLS outer tunnel. There is no support for Certificates yet.

For now i would recommend looking into doing a combination of 802.1X and MDM Integration instead of ROPC. 

Best Regards
Nicolai Borchorst
CCIE Security #65775

Hi 

 

I have gone through that link but could not find ISE Configuration Guide its is only Azure Configuration Guide. Can you help me what ISE configuration required in 3.0 ?

 

Regards

PP