Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14569
Views
19
Helpful
13
Replies

ISE integration with AD on Azure for Authentication

Go to solution
Karim Bellassoued
Cisco Employee
Cisco Employee

‎02-12-2020 01:33 AM

Hi team,

 

I just wanted to confirm if we can use Active Directory on Azure for users authentication with ISE.

 

Thanks in advance for your help.

 

Best regards,

 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-12-2020 01:51 AM

 

 - Yes as a couple of the info's below will confirm :

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful

Go to solution
netizenden
Level 1
Level 1
In response to Arne Bier

‎11-10-2020 08:26 AM

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0.  Need to confirm tho myself.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-12-2020 01:51 AM

 

 - Yes as a couple of the info's below will confirm :

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Karim Bellassoued
Cisco Employee
Cisco Employee
In response to marce1000

‎02-12-2020 02:46 AM

Thanks Marce1000 .

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to marce1000

‎02-13-2020 04:44 AM

Hi @marce1000 

 

I'd double-check that, since ISE does not allow Azure AD to be added as an external identity source. Yes, ISE does have SAML integration with Azure AD - but that is quite different than offering MSChapv2 authentication for things like EAP-PEAP authentication. As far as I know, you can not use Azure AD for credential authentication for EAP-PEAP (even if you managed to get a Secure LDAP connection to Azure AD - the password challenge doesn't work over LDAP). You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group).

Go to solution
netizenden
Level 1
Level 1
In response to Arne Bier

‎11-10-2020 08:26 AM

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0.  Need to confirm tho myself.

0 Helpful

Go to solution
sdcorn
Level 1
Level 1
In response to netizenden

‎03-17-2021 01:17 PM

netizenden, did you ever confirm if AD on Azure can be used for EAP authentication with ISE 3.0?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to sdcorn

‎03-17-2021 06:56 PM

See a similar discussion here:

https://community.cisco.com/t5/network-access-control/ise-azure-ad/td-p/4150923

 

The short answer is that this can only be done directly via ROPC which is very bleeding-edge has its own caveats and limitations.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-13-2020 01:57 PM

Any integration with Azure AD would be done via SAML IdP and ISE does not currently support using a SAML IdP for endpoint authentication. SAML IdP is only supported for authentication of the following portals:

  • Guest portal (sponsored and self-registered)

  • Sponsor portal

  • My Devices portal

  • Certificate Provisioning portal

See the ISE Admin Guide for more information.

 

Cheers,

Greg

Go to solution
stayd
Level 1
Level 1
In response to Greg Gibbs

‎11-16-2023 04:19 AM

Hi Greg Gibbs,

after almost 3 years later, is there any change  in SAML IdP for endpoint authentication ?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to stayd

‎11-16-2023 01:16 PM

@stayd... No. SAML is browser-based, so it would require some significant updates to existing EAP protocols or a new EAP protocol to provide this functionality. This is not an ISE limitation, but rather an industry-wide limitation.

See this blog discussion for current options with ISE and Entra ID.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

0 Helpful

Go to solution
Sdiana
Level 1
Level 1
In response to Greg Gibbs

‎03-17-2025 03:49 PM

Hi Greg, 

Does it mean SAML can't not be used for Authorization either? @Arne has mentioned in this post: "You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group)."

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Sdiana

‎03-17-2025 04:48 PM

No. The currently available options for authentication/authorization of users and devices against Entra ID are in the blog post I previously shared the link for below.

Go to solution
Sdiana
Level 1
Level 1
In response to Greg Gibbs

‎03-17-2025 07:31 PM

Thank you, Greg for the reply. Would you also have info about ISE release roadmap? This link  cs.co/ise-pm is Cisco internal. We are deploying ISE 3.3 patch 4 instances in AWS for our customer and want to make sure this release will be Cisco recommended release for at least next 6-7 months. 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Sdiana

‎03-18-2025 01:57 PM

Roadmap is not discussed on public forums. Personally (this is not a commitment from Cisco), I would expect that 3.4 would be designated the recommended release somewhere between 3-6 months from now, but I certainly would not deploy 3.4p1 in production at this time.

Customers Also Viewed These Support Documents