Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
2
Helpful
1
Replies

ISE limit group query to Entra with AD also configured

helpdesk@captrustadvisors.com
Level 1
Level 1

‎05-21-2024 11:29 AM

Hello, 

 

My compnay is currently migrating from On-prem AD to Entra ID. Currently We have both setup in ISE. Both are generally working but I am working through a group query issue with Entra ID.  I have two separate policy sets. The old one for AD on-prem and the new one for Entra ID. I manually add the calling-station-id to the policy condition to specify the computers that I want to hit the Entra ID policy set. For the Entra ID policy set I have an Authorization rule setup to with a few parameters, one them being the Entra Group name. The group name in use is IT.  This policy is called IT-Network Access. The issue I run into is that my test computer will sometimes hit the IT-Network Access policy and sometimes will not. I did some digging and I can see on the Authentication detail report there are always 3 AD-Groups-Names retrieved but, they seem to change on each Auth attempts since my account matches more than three groups. Sometimes the IT group will show in my authentication detail and that sessions that hit my IT-Network Access authorization rule. On the auth session that I do not hit this policy the IT group will not be in my authentication detail but 3 other groups will be there.  Some of these groups that are populated are the On-prem AD groups and some are the Entra ID. My workaround was to add more groups both, AD and Entra, to my authorization policy, however I feel like that could get a little messy once I add more authorization policies for the different access cases. 

 The queries are based on the sbuject name provided in the cert  (EAP-TLS). My subject name will technically be matched in AD and Entra.  I want to limit auth sessions for this policy set to only query the Entra ID groups. Is that possible to control?

0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-21-2024 03:28 PM

Based on the scenario, I'm assuming you're using ISE 3.2 or higher. For the authorization, ISE uses the REST ID to make a call to the MS Graph API and retrieve the groups memberships and/or user attributes to compare against the matching conditions in the authZ policy. There is no way for ISE to determine what groups are configured solely in EntraID and which are synced from traditional AD.

I would suggest opening a TAC case to investigate this issue as this could be some limitation/bug on the info provided by the REST ID call to the Graph API. TAC will likely need to enable some of the debug/trace logs to determine exactly what info ISE is getting back from the Graph API.

Customers Also Viewed These Support Documents