Solved: ISE Join with Azure AD Directory Services

packet2020 · ‎02-24-2023

Hi All,

I am currently looking at options to integrate ISE with Azure AD. From my basic understanding, Azure AD Domain Services supports traditional join operations to support legacy services. If we were to migrate to Azure AD, can ISE join Azure AD Directory services in the same way that it would with an on-prem AD server? Is this supported?

ahollifield · ‎02-24-2023

https://youtu.be/iAKyIHFqbgE

View solution in original post

Greg Gibbs · ‎02-27-2023

From what I can tell based on the documentation and installing Azure AD DS in my lab, AADDS is simply a SaaS offering by Azure for traditional Active Directory. Rather than have an IaaS deployment in the cloud where you manage the OS and deploy your own traditional Active Directory services, with AADDS the OS is managed by MS and you just have the limited control over the traditional AD services.

I was successfully able to perform the following actions in ISE using my AADDS managed domain. The functionality worked the same as with a normal traditional AD deployment on-prem or in the cloud (IaaS).

Create an AD join point and join my ISE node to the domain
Add cloud-only AD groups defined in Azure AD
Perform a Test User lookup for a cloud-only user account in Azure AD
Configure Admin Access for the ISE GUI to use my AD join point, map an Azure AD group to the Super User RBAC role, and login to the ISE GUI using a cloud-only AD user account (member of the group).

View solution in original post

dalbanil · ‎02-24-2023

Hello packet2020, it is possible, here you have an excellent document that guides you on how to do it, it also contains examples of the policies on ISE that you could use for authorization, let me know if this helped.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.pdf

packet2020 · ‎02-24-2023

Hi @dalbanil

Thanks for the reply, however this is not quite what I am asking. The above document is to integrate ISE with Azure AD using REST with ROPC. What I want to know is if can we join ISE to Azure AD Domain Services in the same way that we do today with traditional on-prem AD (configured under External Identity Sources -> Active Directory)? I'm aware that Azure AD DS has some limitations, however do these impact ISE join?

ahollifield · ‎02-24-2023

Great question. Is this the same thing as a "hybrid" Azure AD environment or a totally separate thing? Is there still an on-premise AD footprint?

packet2020 · ‎02-24-2023

This would be in the absence of on-prem AD, so cloud only and no hybrid. So we would have Azure AD with an Azure AD Domain Services managed domain.

Windows servers can join the Azure AD DS managed domain so I would be interested to know if ISE can as well.

Greg Gibbs · ‎02-27-2023

From what I can tell based on the documentation and installing Azure AD DS in my lab, AADDS is simply a SaaS offering by Azure for traditional Active Directory. Rather than have an IaaS deployment in the cloud where you manage the OS and deploy your own traditional Active Directory services, with AADDS the OS is managed by MS and you just have the limited control over the traditional AD services.

I was successfully able to perform the following actions in ISE using my AADDS managed domain. The functionality worked the same as with a normal traditional AD deployment on-prem or in the cloud (IaaS).

Create an AD join point and join my ISE node to the domain
Add cloud-only AD groups defined in Azure AD
Perform a Test User lookup for a cloud-only user account in Azure AD
Configure Admin Access for the ISE GUI to use my AD join point, map an Azure AD group to the Super User RBAC role, and login to the ISE GUI using a cloud-only AD user account (member of the group).

shujath-syed · ‎02-10-2025

Is this still valid? I am trying to add entra id as a join point in Cisco ISE and I get the following error. I am trying to add this under ext identity - > active directory. There is no domain controller for entra id and I am getting this error that it can't find domain name. Do I need to add entra in a different way?

Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049

Detailed Log:

Error Description :
Failed to find domain controller in domain xyz.COM : domain does not exists in DNS

Greg Gibbs · ‎02-10-2025

Are you referring to Entra Domain Services (which is what the original discussion was about) or Entra ID?

If you're referring to Entra ID, there is no 'domain' to join. Entra ID is not Active Directory. For supported use cases with ISE related to Entra ID, see Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

shujath-syed · ‎02-10-2025

I am referring to entra id join. I am using ISE 3.3 in Azure for NAC. Do I need to join them to entra id or I can just do it without? I am using 802.1x EAP-TLS machine cert for auth using cert connector. So do I need to join entra id in ISE or I can do it without. How will I integrate Entra ID with Cisco ISE. If I don't integrate how with auth happen?

Greg Gibbs · ‎02-11-2025

All of the currently supported options for ISE Authentication/Authorization using Entra ID are described in the document I shared in the prior thread.

Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

anu-fatokun · ‎03-03-2025

Hi Greg,

How are you able to do point #2. I am using On-prem AD joined to Entra ID. My ISE is joined to the on-prem AD, and I can retrieve cloud-only AD group defined in Azure AD to my on-prem AD join point. Right now, I am able to join the Integrate the Entra ID through the REST ROPC, but I am not able to retrieve groups. I suspect because I logged into the ISE GUI through a local admin and its using that account to try to retrieve the group which is not in Azure. I believe your solution will solve it but I'm unclear how to retrieve the cloud-only AD group so I can use the user in that group to login into ISE. Please kindly explain how I can achieve this....stuck with this issue for days. thanks

Greg Gibbs · ‎03-04-2025

I'm not sure I understand your question. The Entra ID Connector only syncs traditional Active Directory groups into Entra ID. There is no sync of Users/Groups created directly in Entra ID back into Active Directory.

ahollifield · ‎02-24-2023

https://youtu.be/iAKyIHFqbgE

TCPIP2024 · ‎03-05-2025

Hello,

I have set up an ISE 3.4 and successfully integrated Entra ID via ROPC REST. However, when testing Wi-Fi authentication with EAP-TTLS, it fails.

In the RADIUS logs, I can see that the connection to my REST ID is successful, but then the authentication fails with the following resolution message:

"Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page (Administration > System > Certificates > Local Certificates). Also ensure that the certificate authority that signed this server certificate is properly installed in the client's supplicant. Check the previous steps in the log for this EAP-TTLS conversation for a message indicating why the authentication failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information."

I have checked my certificates, and they are all active. However, I can't find where the local certificates are stored in this version 3.4.

Notably, when I set up the same configuration on ISE 3.0 (patch 8), I had no certificate-related issues.

Does anyone have an idea of what might be causing this issue?

Thanks in advance for your help!

Greg Gibbs · ‎03-05-2025

This is off the topic of the original post. In the future, please start a new conversation for new questions and keep one topic per post.

The path in the error is a cosmetic issue. This should refer to the Administration > System > Certificates > Certificate Management > System Certificates page.

This error typically indicates that the supplicant does not trust the EAP certificate presented by the server (ISE). Confirm that the Windows endpoint has the Root and Intermediate certificates that signed the ISE EAP cert in the relevant trust stores and that the supplicant is configured to trust them.

If you are still having issues, please start a new conversation and post screenshots of your certificate store, supplicant configuration, and ISE EAP cert chain or open a TAC case to investigate further.