Hi @Greg Gibbs,

i've been asked to migrate our ise deployment from traditional ad to entra id.
i read the following document: "Configure ISE 3.0 REST ID with Azure Active Directory" at this link:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

but it is using eap-ttls, i'm wondering if i can still use eap-tls as in my actual working setup...
furthermore, as i understand, rest id is the only method to integrate cisco ise with entra id.

then i found this guide "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory"
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html#toc-hId--1070241705

and is using eap-tls, so i'm a little bit confused about what to do....

Am i able to integrate ise and entra id but using eap-tls instead of eap-ttls in my authorization rules?

thank you

bye

Yes, as stated in the "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory" you referenced, you can use the REST ID function in ISE version 3.2 and higher to authorize a User against Entra ID. The Entra ID App Registration configuration would be the same as shown in the "Configure ISE 3.0 REST ID with Azure Active Directory" guide, except you would not need to enable the ROPC option shown in Step/Figure 9 of that document.

You might also see this blog for current options related to ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

Hi,
the more i read the document the more i get confused.
These are my actual ruIes:

in order to migrate them i should reference to "Authentication/Authorization of an Entra Joined Device using EAP-TLS" guide (we do device authentication by checking if the certificate is released by our CA and the for the authorization we check if the device is matching the AD groups).
For the authorizaton rule i only need to add the policy value as per the following screenshot:

In this case i don't need to configure the REST ID function, am i correct? In this way Ise should check only if this value matches the value i want.

Thank you

Bye

There is currently no comparable authorization of a Device group/attribute against Entra ID as your current use case with AD. If all you are planning to do is Authenticate and Authorize a Device based simply on values in the certificate it presents to ISE for EAP-TLS and trust of that certificate chain, then you would not need any integration with Entra ID.

I would like to migrate the rules as similar as possible.
Given the limitations of Entra-id it seems to me that the only more similar way is to check certain values within the certificate, but those values have to be created first on Entra-id, so yes, there is no direct integration with Entra-id, but, however,  those parameters on the certificates have to be congruent between Ise and Entra-id

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-1884295217  This seems to show it is now possible after fixing the bug CSCwd34467  ?

Yes, as stated in that document it is possible to use TEAP(EAP-TLS) with the User authorization against Entra ID. It is still currently not possible to perform authorization of a Device against Entra ID (also stated in that document).

Hi @Greg Gibbs - Is device authorisation going to be supported with ISE, so the ability to lookup the basic device object in Entra during EAP-TLS/TEAP-TLS auth using the device's GUID to check that a) its a present/valid object and b) to return any device attributes to allow ISE to select an appropiate result, or is this purley a limitation in Entra that is not going to be changed any time soon?

Just checked with a TME:

I got this response today from a Cisco SE for ISE....

Device authorization in Entra ID is planned for 3.4 Patch 2 (but could slip, all normal patch caveats apply)

Hi all,

I read in a "what's new in ISE 3.4 ..." series, that Machine authorization, in Entra ID, will be supported in 3.4 patch 2 (which is planned for Q1/2025).

Can't find back the link for source though.

In general, this is something the developers are working on for an enhancement but implementing it has proven much more difficult than originally expected due to the difficulty of identifying a computer versus user session purely by the certificate presented as certificate templates vary from customer to customer.

While the current target may be for 3.4 patch 2, these dates should not expected as development is still in progress and extensive testing will likely need to be done to ensure the changes do not affect other functions.