Solved: Re: ISE Azure REST/ROPC for Device Admin

dm2020 · ‎02-19-2023

Hi All,

I have been testing ISE with Azure ROPC for EAP-TTLS and AnyConnect VPN authentication. Both of these work ok. As both of these use-cases support PAP, I'm assuming that it is also supported to use Azure ROPC for RADIUS and TACACS device administration?

I have been doing some testing and RADIUS admin works ok as we can use Azure ROPC for user authentication and then use the Azure AD identity source within an authorisation policy to map Azure AD group to the required authorisation profile (such as Priv15 for switches)

With TACACS, authentication works ok, however there doesn't seem to be an option to select the Azure AD Identity source as a condition within the TACACS authorisation policy so we cant use Azure AD groups for allocating granular command sets/shell profiles.

Has anyone else looked into this?

Greg Gibbs · ‎02-20-2023

Neither the Authentication nor Authorization Policies for Device Admin (TACACS+) currently support REST ID/ROPC Identity Sources or attributes in any shipping version of ISE.

View solution in original post

Greg Gibbs · ‎02-20-2023

Neither the Authentication nor Authorization Policies for Device Admin (TACACS+) currently support REST ID/ROPC Identity Sources or attributes in any shipping version of ISE.

dm2020 · ‎02-25-2023

Thanks @Greg Gibbs. I'm assuming that Network/Device Admin with RADIUS is fully supported then?

Greg Gibbs · ‎02-26-2023

That is not a documented use case for ROPC, but both use cases would use simple password-based authentication. The endpoint auth use case would use EAP-TTLS(PAP) and the device admin use case would use simple PAP.

I did a basic test using a CSR1000v configured for RADIUS and authentication using AzureAD via ROPC did work. My authorization policy used a group membership check against AzureAD and the condition matched as expected.

Detailed log:

andrea-florio · ‎06-16-2024

@Greg Gibbs

i'm looking exactly at this use case since we want to move away from On Prem Active Directory due to a merger, among other reasons...

i can authenticate using an identity source sequence referencing REST/ROPC but in the authorization policy i can't select the dictionary.

Our use case is really to authenticate and authorized based on Entra ID membership, and later, using NPS radius proxy, enable 2FA via Entra/Microsoft ...

unfortunately with authorization not working, this is not a viable solution, but it looks like it would be easily supportable .

authentication detailed log

Greg Gibbs · ‎06-16-2024

@andrea-florio, as I stated in the earlier response...

"Neither the Authentication nor Authorization Policies for Device Admin (TACACS+) currently support REST ID/ROPC Identity Sources or attributes in any shipping version of ISE."

This statement is still true. The example screenshot I shared was when using RADIUS for device admin (which does not use the Device Admin Policy Sets) rather than TACACS+

andrea-florio · ‎06-17-2024

Absolutely, that is clear.

i guess that my post should have been written differently as:

1. even if you said that Authentication for tacacs isn't supported, here are the logs proving that work

2. i am running ise 3.3 path 2 and i wonder if and when such support would be added for authorization

3. is there any alternative that would allow us to use Entra ID users for Device Admin / TACACS+ since we plan to get rid completely of traditional AD?

Greg Gibbs · ‎06-17-2024

Roadmap is not discussed on this public forum.

The only current alternative would be to look into using Entra Domain Services. You would sync your Entra ID user accounts with Entra DS, and ISE would integrate with Entra DS using the same mechanism as traditional AD Domain Services.
I have not had the ability to test it myself, but it should work in theory.