ā09-14-2020 12:46 PM
Folks,
Weāve got a customer who is adopting Azure AD and has operations in several countries.
Their use case includes 802.1X for wired/wireless, VPN and Guest services.
As far as i know, we currently support Azure AD with SAML, which could take care of the Guest Services and VPN part of the request (https://community.cisco.com/t5/security-documents/notes-on-azure-ad-as-saml-idp/ta-p/3644255). However, for 802.1X wired/wireless services, it is my understanding that we officially do not support it yet (https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/td-p/3805022). Iāve seen some notes on the possibility about using LDAPS, but this approach has limitations (ie: PEAP-MSCHAP-v2). Other folks advise to join MS AD directly. It is my understanding that ISE on Public Cloud is on the roadmap as well.
Please, any advise, experiences, ideas, official take on on this or roadmap information is more than welcome.
Thank you.
Regards,
.:|:.:|:. Cristian Venegas | Technical Solutions Architect - Security | +56 (9) 9632 1494 | crvenega@cisco.com
Solved! Go to Solution.
ā09-14-2020 07:27 PM
The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.
Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm
ā09-14-2020 07:27 PM
The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.
Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm
ā12-13-2023 07:28 AM
Has something changed in the last 3 years? is ROPC still not recommended for production?
Thanks
ā12-13-2023 01:01 PM
ROPC still has significant performance limitations (max 50 authentications per second) and user experience issues. See this blog for available options related to Entra ID.
ā10-26-2020 08:42 AM
ISE 3.0 supports 802.1X with Azure AD using ROPC.
ā11-06-2020 04:07 AM
Hi Surasky
We are planning to Implement - > ( 802.1X + MAB ) For Wired and Wireless Corporate user on ISE 3.0 with Azure AD using ROPC.
We are lookin here Implementation guide.
Requesting to you please share.
Regards
PP
ā11-06-2020 09:59 AM
Hi
There is only limited 802.1X Support, and ROPC is only supported using EAP-TTLS with PAP as the inner method (Clear Text). This means support for somewhat unsecure username/password, it's in clear text but it is encapsulated in the EAP-TTLS outer tunnel. There is no support for Certificates yet.
For now i would recommend looking into doing a combination of 802.1X and MDM Integration instead of ROPC.
ā11-09-2020 10:03 AM
Hi
I have gone through that link but could not find ISE Configuration Guide its is only Azure Configuration Guide. Can you help me what ISE configuration required in 3.0 ?
Regards
PP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide