Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

Available Languages

Download Options

  • PDF     (1.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 22, 2023
Document ID:218197

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure and troubleshoot authorization policies in ISE based on Azure AD group membership with EAP-TLS or TEAP.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Identity Services Engine (ISE)
    • Microsoft Azure AD, subscription, and apps
    • EAP-TLS authentication

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco ISE 3.2
    • Microsoft Azure AD

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information 

    In ISE 3.0 it is possible to leverage the integration between ISE and Azure Active Directory (AAD) to authenticate the users based on Azure AD groups and attributes through Resource Owner Password Credentials (ROPC) communication. With ISE 3.2, you can configure certificate-based authentication and users can be authorized based on azure AD group memberships and other attributes. ISE queries Azure through graph API to fetch groups and attributes for the authenticated user, it uses the certificate’s Subject Common Name (CN) against User Principal name (UPN) on the Azure side.

    Note: The certificate-based authentications can be either EAP-TLS or TEAP with EAP-TLS as the inner method. Then, you can select attributes from Azure Active Directory and add them to the Cisco ISE dictionary. These attributes can be used for authorization. Only user authentication is supported.

    Configure

    Network Diagram

    The next image provides an example of a network diagram and traffic flow

    rmigisha_0-1663799260041

    Procedure:

    1. The certificate is sent to ISE through EAP-TLS or TEAP with EAP-TLS as the inner method.
    2. ISE evaluates the user’s certificate (validity period, trusted CA, CRL, and so on.)
    3. ISE takes the certificate subject name (CN) and performs a look-up to the Microsoft Graph API to fetch the user’s groups and other attributes for that user. This is referred to as User Principal name (UPN) on the Azure side.
    4. ISE Authorization policies are evaluated against the user’s attributes returned from Azure.

    Note: You must configure and grant the Graph API permissions to ISE app in Microsoft Azure as shown below:

    API Permissions

    Configurations

    ISE Configuration

    Note: ROPC functionality and Integration between ISE with Azure AD is out of the scope of this document. It is important that groups and user attributes are added from Azure. See configuration guide here.

    Configure the Certificate Authentication Profile  

    Step 1. Navigate to the Menu icon rmigisha_18-1663803391946 located in the upper left corner and select Administration > Identity Management > External Identity sources.

    Step 2. Select Certificate Authentication Profile and then click on Add. 

    Step 3. Define the name, Set the Identity Store as [Not applicable], and select Subject – Common Name on Use Identity From field. Select Never on Match Client Certificate against Certificate in Identity Store Field. 

    rmigisha_2-1663802545501

    Step 4. Click on Save

    rmigisha_2-1663951904221

    Step 5. Navigate to the Menu icon rmigisha_18-1663803391946 located in the upper left corner and select Policy > Policy Sets.

    Step 6. Select the plus rmigisha_6-1663802545507 icon to create a new policy set. Define a name and select Wireless 802.1x or wired 802.1x as conditions. The Default Network Access option is used in this example

    rmigisha_0-1663950278197

    Step 7. Select the arrow rmigisha_1-1663954795995 next to Default Network Access to configure Authentication and Authorization Policies.

    Step 8. Select the Authentication Policy option, define a name and add EAP-TLS as Network Access EAPAuthentication, it is possible to add TEAP as Network Access EAPTunnel if TEAP is used as the authentication protocol. Select the Certificate Authentication Profile created on step 3 and click on Save.

    rmigisha_1-1663811245546

    Step 9. Select the Authorization Policy option, define a name and add Azure AD group or user attributes as a condition. Choose the profile or security group under Results, depends on the use case, and then click Save.  

    rmigisha_1-1663950342613

    User Configuration.

    The Subject Common Name (CN) from the user certificate must match the User Principal Name (UPN) on the Azure side in order to retrieve AD group Membership and user attributes that be used in authorization rules. For the authentication to be successful, the root CA and any intermediate CAs certificates must be in ISE Trusted Store.

    rmigisha_12-1663802565885

    rmigisha_11-1663802565884

    Verify

    ISE verification

    In the Cisco ISE GUI, click the Menu icon rmigisha_18-1663803391946 and choose Operations > RADIUS > Live Logs for network authentications (RADIUS).

    ISE Verify

    Click the magnifier icon in the Details column to view a detailed authentication report and confirm if the flow works as expected.

    1. Verify Authentication/Authorization policies
    2. Authentication method/protocol
    3. User’s subject name taken from the certificate
    4. User groups and other attributes fetched from Azure directory

    rmigisha_14-1663802613946

    rmigisha_15-1663802613947

    Troubleshoot

    Enable Debugs on ISE

    Navigate to Administration > System > Logging > Debug Log Configuration to set the next components to the specified level.

    Node

    Component Name

      Log Level

    Log Filename

    PSN

    rest-id-store

    Debug

    rest-id-store.log

    PSN

    runtime-AAA

    Debug

    prrt-server.log

    Note: When you are done with troubleshooting, remember to reset the debugs. To do so select the related node and click "Reset to Default".

    Logs Snippets

    The next excerpts show the last two phases in the flow, as mentioned earlier in the network diagram section.

    1. ISE takes the certificate subject name (CN) and performs a look-up to the Azure Graph API to fetch user’s groups and other attributes for that user. This is referred to as User Principal name (UPN) on Azure side.
    2. ISE Authorization policies are evaluated against the user’s attributes returned from Azure.

    Rest-id logs:

    rmigisha_17-1663802653185

    Prrt logs:

    rmigisha_16-1663802653185

    Revision History

    Revision Publish Date Comments
    2.0
    22-Dec-2023
    Updated title and introduction section to meet Cisco.com style guide requirements.
    1.0
    27-Sep-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Romeo Migisha
      Technical Consulting Engineer
    • Emmanuel Cano
      Security Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco