Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12778
Views
15
Helpful
9
Replies

ISE integration with AD on Azure for Authentication

Go to solution
Karim Bellassoued
Cisco Employee
Cisco Employee

‎02-12-2020 01:33 AM

Hi team,

 

I just wanted to confirm if we can use Active Directory on Azure for users authentication with ISE.

 

Thanks in advance for your help.

 

Best regards,

 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎02-12-2020 01:51 AM

 

 - Yes as a couple of the info's below will confirm :

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

0 Helpful

Go to solution
netizenden
Level 1
Level 1
In response to Arne Bier

‎11-10-2020 08:26 AM

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0.  Need to confirm tho myself.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
marce1000
VIP
VIP

‎02-12-2020 01:51 AM

 

 - Yes as a couple of the info's below will confirm :

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3805022

    https://community.cisco.com/t5/identity-services-engine-ise/ise-integration-with-azure-ad/td-p/3729550

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Karim Bellassoued
Cisco Employee
Cisco Employee
In response to marce1000

‎02-12-2020 02:46 AM

Thanks Marce1000 .

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to marce1000

‎02-13-2020 04:44 AM

Hi @marce1000 

 

I'd double-check that, since ISE does not allow Azure AD to be added as an external identity source. Yes, ISE does have SAML integration with Azure AD - but that is quite different than offering MSChapv2 authentication for things like EAP-PEAP authentication. As far as I know, you can not use Azure AD for credential authentication for EAP-PEAP (even if you managed to get a Secure LDAP connection to Azure AD - the password challenge doesn't work over LDAP). You can however use it to perform Authorization (e.g. checking that user X is a member of AD Group).

Go to solution
netizenden
Level 1
Level 1
In response to Arne Bier

‎11-10-2020 08:26 AM

Partner SEVT - Security last week updated this guidance, I believe, with arrival of ISE 3.0.  Need to confirm tho myself.

0 Helpful

Go to solution
sdcorn
Level 1
Level 1
In response to netizenden

‎03-17-2021 01:17 PM

netizenden, did you ever confirm if AD on Azure can be used for EAP authentication with ISE 3.0?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to sdcorn

‎03-17-2021 06:56 PM

See a similar discussion here:

https://community.cisco.com/t5/network-access-control/ise-azure-ad/td-p/4150923

 

The short answer is that this can only be done directly via ROPC which is very bleeding-edge has its own caveats and limitations.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-13-2020 01:57 PM

Any integration with Azure AD would be done via SAML IdP and ISE does not currently support using a SAML IdP for endpoint authentication. SAML IdP is only supported for authentication of the following portals:

  • Guest portal (sponsored and self-registered)

  • Sponsor portal

  • My Devices portal

  • Certificate Provisioning portal

See the ISE Admin Guide for more information.

 

Cheers,

Greg

Go to solution
stayd
Level 1
Level 1
In response to Greg Gibbs

‎11-16-2023 04:19 AM

Hi Greg Gibbs,

after almost 3 years later, is there any change  in SAML IdP for endpoint authentication ?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to stayd

‎11-16-2023 01:16 PM

@stayd... No. SAML is browser-based, so it would require some significant updates to existing EAP protocols or a new EAP protocol to provide this functionality. This is not an ISE limitation, but rather an industry-wide limitation.

See this blog discussion for current options with ISE and Entra ID.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

0 Helpful
Customers Also Viewed These Support Documents