Clarification on Integrating Entra ID with Cisco ISE using REST API and Microsoft Graph
I need clarification on the process of integrating Microsoft Entra ID with Cisco ISE (version 3.3) using the REST API and Microsoft Graph.
Current Setup:
- Users are currently authenticated using machine-based authentication.
- Machines are running Windows10 and 11.
- The organization wants to transition from on-premises authentication to Entra ID for Windows 11 machine.
Planned Approach:
- Integrate Microsoft Entra ID via REST API.
- Create a Certificate Authentication Profile (CAP) in Cisco ISE.
- Ensure authentication is processed using Entra ID as the identity provider.
Issue:
- The Common Name (CN) in the user certificates is registered under a different domain than the User Principal Name (UPN) in Microsoft Entra ID.
- This could potentially cause authentication failures.
Questions:
- Will authentication fail due to the CN and UPN mismatch?
- Is there a way to configure Cisco ISE to check multiple domains for UPN verification?
- Can Cisco ISE be configured to map CN to UPN dynamically across multiple domains?
Any insights or recommendations on handling this scenario would be appreciated.