How Entra ID and Cisco ISE authentication works with TEAP/EAP-TLS

Tunnel Extensible Authentication Protocol (TEAP), defined by RFC7170, can be used with ISE and the Security Cloud Control for secure authentication.

Summary

The key components involved in this authentication process are:

  • User device: Provides certificate through EAP-TLS or TEAP protocol

  • ISE: Validates certificate and performs user lookup through Azure Graph API

  • Entra ID: Provides user attributes and group information for authorization

Workflow

Authentication between Cisco ISE and Entra ID using Tunnel Extensible Authentication Protocol means the certificate's common name is authenticated with Azure Graph API after validating the certficate

These stages describe how the authentication process works and are based on Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory:

  1. The user's certificate is sent to ISE through EAP-TLS or TEAP with EAP-TLS as the inner method.
  2. ISE evaluates the user's certificate (validity period, trusted certificate authority, certificate revocation list, and so on).
  3. ISE takes the certificate subject name (CN) and performs a look-up to the Azure Graph API to fetch the user's groups and other attributes. This is referred to by Azure as User Principal name (UPN).
  4. ISE authorization policies are evaluated against the user's attributes returned from Azure.