Share via

Conditional Access & MFA for Cisco ISE Wi-Fi Authentication (Public Client Limitation)

Abrar Adil S 456 Reputation points
2026-01-25T18:19:57.4933333+00:00

We are using Cisco Identity Services Engine integrated with Microsoft Entra ID for corporate Wi-Fi authentication (802.1X).

Recently, we enabled MFA using Conditional Access for users. After enabling MFA, users connecting to Wi-Fi through Cisco ISE are not being prompted for MFA, and authentication behavior became inconsistent.

When we attempted to exclude the Cisco ISE enterprise application from MFA using an application-based Conditional Access exclusion, the policy could not be saved and resulted in the error:

PublicClientsAreUnsupported

Microsoft Support confirmed this behavior is by design, as Cisco ISE is treated as a Public Client, and Conditional Access does not support including or excluding Public Client applications at the enterprise application level.

What we have tested

  • Disabling MFA for an individual user allows Wi-Fi authentication to succeed
  • However, disabling MFA at the user level is not acceptable due to security risks

What is the recommended Conditional Access design for Cisco ISE Wi-Fi authentication when MFA is enforced tenant-wide?

Is using Client App conditions (Browser vs Mobile apps and desktop clients) the correct approach to avoid policy conflicts?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan La Pietra (CSA) 320 Reputation points Microsoft Employee
    2026-01-26T09:09:48.5566667+00:00

    The correct mental model (why this

    The correct mental model (why this breaks)

    Cisco ISE does not perform an interactive user sign‑in:

    • No browser
    • No redirect
    • No modern OAuth flow with MFA challenges
    • No user presence during EAP authentication

    Therefore:

    • MFA can never succeed at Wi‑Fi join time
    • Entra ID classifies the authentication as:
      • Public client
        • Non‑interactive
          • Non‑browser
          • Conditional Access can only scope these flows by client app type, not by cloud app

    This exact limitation is documented and confirmed in Microsoft Q&A for Cisco ISE + Entra ID scenarios.

    Recommended Conditional Access design (Microsoft‑aligned)

    Split policies by Client App condition (not Cloud Apps)

    Yes — Client App conditions are the correct and supported approach.

    Policy A – Interactive user access (MFA enforced)

    Purpose: All normal user sign‑ins

    Assignments

    • Users: All users
    • Client apps:
      • Browser
      • Mobile apps and desktop clients

    Controls

    • Require MFA
    • (Optionally) Require compliant device

    This policy covers:

    • Office apps
    • Browser access
    • Teams
    • Outlook
    • Azure Portal

    This policy works as expected.

    Policy B – Non‑interactive / legacy / EAP flows (MFA excluded)

    Purpose: Allow Cisco ISE Wi‑Fi authentication to continue

    Assignments

    • Users: All users
    • Client apps:
      • Other clients
      • Exchange ActiveSync clients (if needed)
      • Legacy authentication clients (optional but recommended to scope carefully)

    Controls

    • Do not require MFA
    • Optional: require trusted location (see below)

    This is the only supported way to prevent MFA from breaking Cisco ISE authentication without disabling MFA per-user.

    Microsoft explicitly states that public clients cannot be included/excluded at the cloud app level, therefore client app type is required

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.