About Azure AD and Cisco ISE with TEAP/EAP-TLS

Tunnel Extensible Authentication Protocol (TEAP) , defined by RFC7170, can be used with ISE and the Cisco Defense Orchestrator as follows:

Authentication between Cisco ISE and Azure AD using Tunnel Extensible Authentication Protocol means the certificate's common name is authenticated with Azure Graph API after validating the certficate

The following is based on Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory:

  1. The user's certificate is sent to ISE through EAP-TLS or TEAP with EAP-TLS as the inner method.

  2. ISE evaluates the user’s certificate (validity period, trusted certificate authority, certificate revocation list, and so on).

  3. ISE takes the certificate subject name (CN) and performs a look-up to the Azure Graph API to fetch the user’s groups and other attributes. This is referred to by Azure as User Principal name (UPN).

  4. ISE authorization policies are evaluated against the user’s attributes returned from Azure.