topic Authenticate on UPN and or SAM Logon in Network Access Control

Authenticate on UPN and or SAM Logon

craiglebutt — Wed, 23 Nov 2022 18:27:58 GMT

ISE 2.7, patch 7

So using Intune for BYOD, some users are having issues connecting, The UPN and SAM name doesn't match, so need to add userprincipalname to the attributes.

My manager is very risk oversee, so just want to check that there is no issues adding "UPN" attribute so the accounts that don't match will authenticate, as to me this just means another field to auth against.

thanks in advance

Craig

Re: Authenticate on UPN and or SAM Logon

hslai — Sun, 11 Dec 2022 23:24:21 GMT

To avoid ambiguity, UPN is preferred as it is supposedly unique for an org. SAM is shorter so easier for inputs. Please balance the benefits based on your organization policies and assessments.

Re: Authenticate on UPN and or SAM Logon

thomas — Thu, 15 Dec 2022 23:06:21 GMT

Have you seen our ISE Webinar for ISE with Intune?

▶ ISE Integration with Intune MDM

02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD

Re: Authenticate on UPN and or SAM Logon

craiglebutt — Fri, 27 Jan 2023 10:21:19 GMT

I added userprincipalname to the attributes, but this still didn't work, had a cal with TAC, they had issues as well.

I did sort the issue in the end, under Certificate Authentication Profile, I changed the use idenity from certificate attribut to and subject name attribut in the certificate, this resolved the issue.

cheers