Solved: Re: ISE Integration with Entra-joined Devices/Users - Page 2

GregoryLeggett · ‎04-05-2024

My organization is working on migration path to Win11 (Entra joined), with hybrid user accounts. According to the below posting, it was mentioned that TEAP (EAP-TLS) is not supported for Computer authentication or EAP-Chaining.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune

I have two questions about this;

Is this a limitation of ISE or with Windows11 being Entra joined? If ISE, could you please explain why EAP-Chaining and computer authentication are not supported?
We are currently using TEAP to solve the "chick and egg" problem outlined in the below posting. If TEAP cannot be used in an Entra joined environment, then what options are available to ensure that a user logging into a computer for the first time is able to build a user profile with certificate issuance, for user authentication?
EAP-TEAP: First time user login/chicken & egg scenario

@Greg Gibbs

Greg Gibbs · ‎02-16-2025

The feature for Device Authorization against Entra ID is no longer expected to be available until the release of ISE 3.5. No ETA can be provided, but you're likely looking at around June-July timeframe. It will likely be back-ported to a patch in 3.4 that will release after the FCS of 3.5.

KelvinT · ‎02-17-2025

Thanks for the info Greg.

Kenny Thompson · ‎09-02-2025

Hi Greg,

Has this feature for EAP chaining (Device and User Authentication) now been added to ICE 3.5. Can you share a link to relevant documentation that shows support with Entra ID.

shujath M syed · ‎10-13-2025

Does IdP feature work with Cisco ISE essentials (version 3.3) ? I am trying to point cisco ISE towards an external Entra ID for guest user auth on a guest SSID (this is mainly users still sitting in same site after network separation).

Greg Gibbs · ‎10-13-2025

This is not directly related to the original topic. In future, please open a new discussion and keep one topic per discussion.

The use case you describe would fall under basic 'AAA and 802.1x' and 'Guest' feature sets, so it would be covered by the Essentials licensing.

hasitha siriwardhana · ‎03-14-2025

Hi ,

I am bit confused... if TEAP(EAP-TLS) and EAP-FAST(EAP-TLS) with EAP Chaining are supported for this Entra AD flow from ISE 3.2 patch 5 and ISE 3.3 patch 1 due to the fix implemented by bugID CSCwd34467

Then what is the use case of Machine authentication function going to be release on ISE 3.5. Without ISE 3.5 can we use this ?

JPavonM · ‎09-03-2025

I have found the Release Notes for 3.5 even when they are not referenced in Cisco URL:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/release_notes/cisco-identity-services-engine-release-notes-35.html

See this section:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-5/admin_guide/b_ise_admin_3_5/b_ISE_admin_asset_visibility.html#task_hbc_rwl_qtb