PSA: Cisco ISE integration doesn't support Bearer Token auth, and won't for a while

sdagley
Esteemed Contributor II

This is a heads up for any organization using the Jamf Pro integration with Cisco ISE...

According to the Cisco rep on a call I had a short time ago regarding Jamf's planned removal of Basic Authentication for the Classic API in the Very Near Future there is no support for Bearer Token authentication in Cisco ISE at this time (i.e. ISE 3.3), and they do not have a specific timeframe for when that support will be added but it isn't on the near-term roadmap.

If your organization relies on the Cisco ISE integration with Jamf Pro I'd suggest you contact your Jamf Customer Success Manager ASAP and let them know that removal of Basic Authentication prior to support being added in Cisco ISE would not be welcome.

I'd also suggest you open a TAC case with Cisco asking when they're going to implement Bearer Token authentication in ISE because it sure doesn't look like they consider it a priority given that Jamf has been saying for a over a year that Basic Authentication support was going to be removed.

Update 2024-05-08: After a discussion today with my org's Jamf ECSM it's clear Jamf understands that removing ISE's ability to use Basic Authentication (BA) for Classic API access prior to Cisco implementing support for Bearer Token (BT) authentication would not be welcome by customers utilizing the ISE integration and that will not be happing in the Very Near Future (the inference was that ISE will continue to have BA access but not other API clients). Now if we can get Cisco to provide an official statement on when they will provide BT authentication support in ISE...

4 REPLIES 4

AJPinto
Honored Contributor III

We have a couple of security tools that are in the same boat. I find it funny that security tools are the ones falling behind on authentication security. 

sdagley
Esteemed Contributor II

Yes, it's always interesting how some security tool vendors think every other deployment in the world should be driven by _their_ schedule.

AJPinto
Honored Contributor III

Exactly, and how some like Cisco fell they are too large to respect any timetables other than the ones they create. My company actually dumped Cisco last year, the right people got tired of the shenanigans. 

PE2000
Contributor II

According to Jamf

I'm going to try to bring a bit of clarity to this situation. We've tried communicating this to customers and Cisco, but the message seems to keep getting lost in translation.The removal of Basic Auth from the Classic API will have no effect on the Cisco ISE integration. The API that ISE uses with Jamf is outside the Classic API which has the basic auth deprecation on the way. We've been in constant communication with the Cisco ISE product teams assuring them of this.