Accepted Solutions
I think this might be the third person this week who has asked the question :-) The answer is a resounding NO. ISE has no native ability to connect to Azure because it expects the AD Join to be a real domain controller. If you spun up a Windows VM in Azure and make that a domain controller and point ISE to it, then I guess that would work. Not cloud-native - probably cost prohibitive and not clever.
Having said that, you can use Secure LDAP to talk to any generic LDAP server and Azure AD has an LDAP interface. But be careful, because LDAP does not lend itself to complex password authentication schemes beyond PAP/GTC. Any password scheme that involves a challenge/handshake will not work (e.g. CHAP, MS-CHAPv2 etc). You could tie into Azure with LDAP to check an EAP-TLS cert's attribute (e.g. lookup whether a user is a member of a Group or whether the user even exists in Azure - because these lookups don't involve passwords)
From the ISE Admin Guide:
regards
Arne
I think this might be the third person this week who has asked the question :-) The answer is a resounding NO. ISE has no native ability to connect to Azure because it expects the AD Join to be a real domain controller. If you spun up a Windows VM in Azure and make that a domain controller and point ISE to it, then I guess that would work. Not cloud-native - probably cost prohibitive and not clever.
Having said that, you can use Secure LDAP to talk to any generic LDAP server and Azure AD has an LDAP interface. But be careful, because LDAP does not lend itself to complex password authentication schemes beyond PAP/GTC. Any password scheme that involves a challenge/handshake will not work (e.g. CHAP, MS-CHAPv2 etc). You could tie into Azure with LDAP to check an EAP-TLS cert's attribute (e.g. lookup whether a user is a member of a Group or whether the user even exists in Azure - because these lookups don't involve passwords)
From the ISE Admin Guide:
regards
Arne
