Solved: Re: ISE integration with AD on Azure for Authentication

Karim Bellassoued · ‎02-12-2020

Hi team,

I just wanted to confirm if we can use Active Directory on Azure for users authentication with ISE.

Thanks in advance for your help.

Best regards,

marce1000 · ‎02-12-2020

- Yes as a couple of the info's below will confirm :

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

netizenden · ‎11-10-2020

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0. Need to confirm tho myself.

View solution in original post

marce1000 · ‎02-12-2020

- Yes as a couple of the info's below will confirm :

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Karim Bellassoued · ‎02-12-2020

Thanks Marce1000 .

Arne Bier · ‎02-13-2020

Hi @marce1000

I'd double-check that, since ISE does not allow Azure AD to be added as an external identity source. Yes, ISE does have SAML integration with Azure AD - but that is quite different than offering MSChapv2 authentication for things like EAP-PEAP authentication. As far as I know, you can not use Azure AD for credential authentication for EAP-PEAP (even if you managed to get a Secure LDAP connection to Azure AD - the password challenge doesn't work over LDAP). You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group).

netizenden · ‎11-10-2020

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0. Need to confirm tho myself.

sdcorn · ‎03-17-2021

netizenden, did you ever confirm if AD on Azure can be used for EAP authentication with ISE 3.0?

Greg Gibbs · ‎03-17-2021

See a similar discussion here:

https://community.cisco.com/t5/network-access-control/ise-azure-ad/td-p/4150923

The short answer is that this can only be done directly via ROPC which is very bleeding-edge has its own caveats and limitations.

Greg Gibbs · ‎02-13-2020

Any integration with Azure AD would be done via SAML IdP and ISE does not currently support using a SAML IdP for endpoint authentication. SAML IdP is only supported for authentication of the following portals:

Guest portal (sponsored and self-registered)
Sponsor portal
My Devices portal
Certificate Provisioning portal

See the ISE Admin Guide for more information.

Cheers,

Greg

stayd · ‎11-16-2023

Hi Greg Gibbs,

after almost 3 years later, is there any change in SAML IdP for endpoint authentication ?

Greg Gibbs · ‎11-16-2023

@stayd... No. SAML is browser-based, so it would require some significant updates to existing EAP protocols or a new EAP protocol to provide this functionality. This is not an ISE limitation, but rather an industry-wide limitation.

See this blog discussion for current options with ISE and Entra ID.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune