Solved: ISE Condition: Device in AZURE Group

fabioairoldi · ‎05-31-2024

Hello all,

I am relatively new to Cisco ISE and all the possible conditions; I would like to know how to create the following condition:

check if a device is member of an Azure AD group.

The device will be Azure only (so no registration on-prem).

I am running ISE version 3.2.0.542 patch 5

The Azure AD tenant has already been configured as REST External Identity Source.

thanks for the help

F.

Greg Gibbs · ‎06-02-2024

No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

View solution in original post

Arne Bier · ‎06-02-2024

I don't have access to Azure, but if you have the External Identity Source configured, then it will appear in the Policy Set, when you create a new Authorization Rule.

In my case I have an on-prem AD - but ISE will list your Azure Identity Source in the drop-downlist

Greg Gibbs · ‎06-02-2024

No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

Arne Bier · ‎06-02-2024

thanks @Greg Gibbs - it shows how little (zero) engagement I have with this stuff in my day to day.

fabioairoldi · ‎06-03-2024

Thanks @Greg Gibbs

am I to understand that it's also not possible to check if a device is enrolled in Entra ID? So no group check, just authenticate based on whether or not it's present.

Currently I am authenticating based on a simple check on the Certificate - Issuer CN.

May I ask what would a better way to make this rule stricter WITHOUT using any USER-based conditions?

Thanks

F.

Greg Gibbs · ‎06-03-2024

Correct. ISE currently does not have the ability to check anything related to the registration/join status of a Device in Entra ID as part of the Authentication or Authorization process. The Device is only authenticated based on a valid/trusted certificate presented to ISE.

Using the Intune MDM registration/compliance status of the device as a condition for authorization is currently the best option for additional security control.

icarimo · ‎08-05-2024

Hello,

Could you please help me to clarify this doubt:

To authenticate my wireless users using traditional AD, I have a policy where I am validating if the computer name (CN) on the certificate belongs to Computer domain group, I am not specifying a specific AD group.

Which EntraID attribute or membership group can I validate to authenticate my wireless users that are in EntraID? I don't want to specify a specific group (e.g., Sales, Marketing).

Note: I am not using MDM,
If am not wrong, from what I understood, there is not possible to check if the device is EntraID registered.
So how can I create the authotization profile, with which attributte should I compare?

Greg Gibbs · ‎08-05-2024

The question is a bit confusing as you're referencing authenticating Users based on a Computer name, which is not possible.

If you want to authorize your Users against Entra ID as per the User Authorization with Entra ID and EAP-TLS use case, those users would need to be part of a Group in Entra ID and that Group would need to be added in the REST ID Store configure in ISE.

icarimo · ‎08-06-2024

Hello @Greg Gibbs

Thank you for the quick reply.
Sorry the confusion, let me rephrase.

- I want to authenticate my wireless devices using EAP-TLS.
- The device a register in EntraID.
- I am using Essentials licenses I don´t have Intune

In the authentication rule, I will check if the device certificate was issued by the correct CA.
Then my doubt is in the authotization rule...
How can I create the authotization rule to check the device certificate CN and validate if it exist in EntraID?
--- In other words, I want to see the if CN exist in the list of EntraID devices, if yes. I will permit access.

I saw this example, however I don´t want to specify the group, just to validate if belongs to any EntraID group, permit access

Greg Gibbs · ‎08-06-2024

This has been stated repeatedly and I do not know how to state it more simply... ISE cannot current check anything about a Device against Entra ID. This is true of any kind of Device and join type (Entra Joined, Entra Hybrid Joined, Entra Registered) in Entra ID.

If the Device is enrolled with a User certificate (with the UPN) and configured for User authentication, ISE can use Entra ID Group membership and/or the other 44 attributes specified in the blog post shared earlier as conditions for authorization of the User session.