05-31-2024 12:47 AM
Hello all,
I am relatively new to Cisco ISE and all the possible conditions; I would like to know how to create the following condition:
check if a device is member of an Azure AD group.
The device will be Azure only (so no registration on-prem).
I am running ISE version 3.2.0.542 patch 5
The Azure AD tenant has already been configured as REST External Identity Source.
thanks for the help
F.
Solved! Go to Solution.
06-02-2024 03:04 PM
No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.
06-02-2024 01:28 PM
I don't have access to Azure, but if you have the External Identity Source configured, then it will appear in the Policy Set, when you create a new Authorization Rule.
In my case I have an on-prem AD - but ISE will list your Azure Identity Source in the drop-downlist
06-02-2024 03:04 PM
No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.
06-02-2024 04:54 PM
thanks @Greg Gibbs - it shows how little (zero) engagement I have with this stuff in my day to day.
06-03-2024 06:10 AM
Thanks @Greg Gibbs
am I to understand that it's also not possible to check if a device is enrolled in Entra ID? So no group check, just authenticate based on whether or not it's present.
Currently I am authenticating based on a simple check on the Certificate - Issuer CN.
May I ask what would a better way to make this rule stricter WITHOUT using any USER-based conditions?
Thanks
F.
06-03-2024 03:04 PM
Correct. ISE currently does not have the ability to check anything related to the registration/join status of a Device in Entra ID as part of the Authentication or Authorization process. The Device is only authenticated based on a valid/trusted certificate presented to ISE.
Using the Intune MDM registration/compliance status of the device as a condition for authorization is currently the best option for additional security control.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide