Solved: ISE Azure AD ?

Cristian Venegas · ‎09-14-2020

Folks,

We’ve got a customer who is adopting Azure AD and has operations in several countries.

Their use case includes 802.1X for wired/wireless, VPN and Guest services.

As far as i know, we currently support Azure AD with SAML, which could take care of the Guest Services and VPN part of the request (https://community.cisco.com/t5/security-documents/notes-on-azure-ad-as-saml-idp/ta-p/3644255). However, for 802.1X wired/wireless services, it is my understanding that we officially do not support it yet (https://community.cisco.com/t5/network-access-control/ise-integration-with-azure-ad/td-p/3805022). I’ve seen some notes on the possibility about using LDAPS, but this approach has limitations (ie: PEAP-MSCHAP-v2). Other folks advise to join MS AD directly. It is my understanding that ISE on Public Cloud is on the roadmap as well.

Please, any advise, experiences, ideas, official take on on this or roadmap information is more than welcome.

Thank you.

Regards,

.:|:.:|:. Cristian Venegas | Technical Solutions Architect - Security | +56 (9) 9632 1494 | crvenega@cisco.com

Greg Gibbs · ‎09-14-2020

The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.

Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm

View solution in original post

Greg Gibbs · ‎09-14-2020

The only current method of directly integrating ISE & Azure AD is via SAML, which is limited to specific Portal-based authentication. There currently no industry-standard method for authenticating 802.1x via SAML/OAuth except maybe ROPC which is really just a stop-gap and not recommended for use in Production at this time.

Roadmap is not discussed on this public forum. For roadmap info, reach out to the ISE PMs on cs.co/ise-pm

bergamok · ‎12-13-2023

Has something changed in the last 3 years? is ROPC still not recommended for production?

Thanks

Greg Gibbs · ‎12-13-2023

ROPC still has significant performance limitations (max 50 authentications per second) and user experience issues. See this blog for available options related to Entra ID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

surasky · ‎10-26-2020

ISE 3.0 supports 802.1X with Azure AD using ROPC.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/release_notes/b_ise_30_rn.html#concept_uhf_4rm_gnb

pattani.parag23 · ‎11-06-2020

Hi Surasky

We are planning to Implement - > ( 802.1X + MAB ) For Wired and Wireless Corporate user on ISE 3.0 with Azure AD using ROPC.

We are lookin here Implementation guide.

Requesting to you please share.

Regards

PP

Nicolai Borchorst · ‎11-06-2020

Hi

See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

There is only limited 802.1X Support, and ROPC is only supported using EAP-TTLS with PAP as the inner method (Clear Text). This means support for somewhat unsecure username/password, it's in clear text but it is encapsulated in the EAP-TTLS outer tunnel. There is no support for Certificates yet.

For now i would recommend looking into doing a combination of 802.1X and MDM Integration instead of ROPC.

Best Regards
Nicolai Borchorst
CCIE Security #65775

pattani.parag23 · ‎11-09-2020

Hi

I have gone through that link but could not find ISE Configuration Guide its is only Azure Configuration Guide. Can you help me what ISE configuration required in 3.0 ?

Regards

PP