cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3204
Views
7
Helpful
12
Replies

ISE Integration with Entra-joined Devices/Users

GregoryLeggett
Level 1
Level 1

My organization is working on migration path to Win11 (Entra joined), with hybrid user accounts. According to the below posting, it was mentioned that TEAP (EAP-TLS) is not supported for Computer authentication or EAP-Chaining.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

I have two questions about this;

  1. Is this a limitation of ISE or with Windows11 being Entra joined?  If ISE, could you please explain why EAP-Chaining and computer authentication are not supported?
  2. We are currently using TEAP to solve the "chick and egg" problem outlined in the below posting.  If TEAP cannot be used in an Entra joined environment, then what options are available to ensure that a user logging into a computer for the first time is able to build a user profile with certificate issuance, for user authentication?
    EAP-TEAP: First time user login/chicken & egg scenario 

@Greg Gibbs

12 Replies 12

Greg Gibbs
Cisco Employee
Cisco Employee

Authorization of an Entra Joined Device is not currently possible in ISE, and neither is EAP Chaining an authenticated User session and Computer session. This is specifically stated in the ISE 3.2 Release Notes

With Windows 11, most organisations are moving from the legacy on-corporate-network PC staging/build process that is controlled by SCCM and uses the PXE boot process to a Windows Autopilot process. For Autopilot, the user would just need a bare internet connection to complete the build, so this could be potentially be accomplished by connecting to a Guest BYOD portal or hotspot of some kind. Part of the AutoPilot process would be enrolment with Intune which would also enrol the Device/User certificates, after which point the user could connect to the secure Corporate network.

Hi @Greg Gibbs,

i've been asked to migrate our ise deployment from traditional ad to entra id.
i read the following document: "Configure ISE 3.0 REST ID with Azure Active Directory" at this link:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

but it is using eap-ttls, i'm wondering if i can still use eap-tls as in my actual working setup...
furthermore, as i understand, rest id is the only method to integrate cisco ise with entra id.

then i found this guide "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory"
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html#toc-hId--1070241705

and is using eap-tls, so i'm a little bit confused about what to do....

Am i able to integrate ise and entra id but using eap-tls instead of eap-ttls in my authorization rules?

thank you

bye

Yes, as stated in the "Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory" you referenced, you can use the REST ID function in ISE version 3.2 and higher to authorize a User against Entra ID. The Entra ID App Registration configuration would be the same as shown in the "Configure ISE 3.0 REST ID with Azure Active Directory" guide, except you would not need to enable the ROPC option shown in Step/Figure 9 of that document.

You might also see this blog for current options related to ISE and Entra ID.
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

Hi,
the more i read the document the more i get confused.
These are my actual ruIes:

 

MaErre21325_2-1725356121607.png
in order to migrate them i should reference to "Authentication/Authorization of an Entra Joined Device using EAP-TLS" guide (we do device authentication by checking if the certificate is released by our CA and the for the authorization we check if the device is matching the AD groups).
For the authorizaton rule i only need to add the policy value as per the following screenshot:

MaErre21325_0-1725355675826.png

In this case i don't need to configure the REST ID function, am i correct? In this way Ise should check only if this value matches the value i want.

Thank you

Bye

 

There is currently no comparable authorization of a Device group/attribute against Entra ID as your current use case with AD. If all you are planning to do is Authenticate and Authorize a Device based simply on values in the certificate it presents to ISE for EAP-TLS and trust of that certificate chain, then you would not need any integration with Entra ID.

I would like to migrate the rules as similar as possible.
Given the limitations of Entra-id it seems to me that the only more similar way is to check certain values within the certificate, but those values have to be created first on Entra-id, so yes, there is no direct integration with Entra-id, but, however,  those parameters on the certificates have to be congruent between Ise and Entra-id

Yes, as stated in that document it is possible to use TEAP(EAP-TLS) with the User authorization against Entra ID. It is still currently not possible to perform authorization of a Device against Entra ID (also stated in that document).

Hi @Greg Gibbs - Is device authorisation going to be supported with ISE, so the ability to lookup the basic device object in Entra during EAP-TLS/TEAP-TLS auth using the device's GUID to check that a) its a present/valid object and b) to return any device attributes to allow ISE to select an appropiate result, or is this purley a limitation in Entra that is not going to be changed any time soon?

Just checked with a TME:

I got this response today from a Cisco SE for ISE....

Device authorization in Entra ID is planned for 3.4 Patch 2 (but could slip, all normal patch caveats apply)

ISE 3.4 P2 - Machine Authz in Entra ID.png

ā€ƒ

Hi all,

I read in a "what's new in ISE 3.4 ..." series, that Machine authorization, in Entra ID, will be supported in 3.4 patch 2 (which is planned for Q1/2025).

Can't find back the link for source though.

In general, this is something the developers are working on for an enhancement but implementing it has proven much more difficult than originally expected due to the difficulty of identifying a computer versus user session purely by the certificate presented as certificate templates vary from customer to customer.

While the current target may be for 3.4 patch 2, these dates should not expected as development is still in progress and extensive testing will likely need to be done to ensure the changes do not affect other functions.