topic Re: ISE GUID in Network Access Control

ISE GUID

Moudar — Wed, 27 Sep 2023 09:15:54 GMT

Hi,

How can I use the attribute GUID in a condition, I could not find it to choose it!

The idea is to be able to authenticate devices with a certificate that can not be with AD. The certificate will contain the GUID but how to use GUID in ISE?

Re: ISE GUID

Mark Elsen — Wed, 27 Sep 2023 09:48:13 GMT

- Review this document : https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635
Look for GUID with find ; some paragraphs may provide hints .

Re: ISE GUID

Moudar — Wed, 27 Sep 2023 10:14:40 GMT

Still confused about how to use the GUID in a policy, does ISE get it when it does a MDM Compliance check?

Re: ISE GUID

thomas — Wed, 27 Sep 2023 16:35:51 GMT

The GUID is usually used for posture/MDM scenarios. The GUID (Globally Unique IDentifier) is only good for one device. I don't know why you would want to have GUID-specific policies - this does not scale.

You then mention authenticating devices with certificates. Certificates have an entirely different set of attributes for use in authorization. You typically authorize by matching on certificate attributes, not an exact GUID.

Re: ISE GUID

Moudar — Thu, 28 Sep 2023 06:10:59 GMT

It is all about MDM (Azure Intune)

Microsoft will deprecate the Intune Network Access Control (NAC) service API on December 31, 2023. This API supports MAC address and UDID-based queries. Once deprecated, all queries from ISE to Intune will need to utilize the Microsoft Compliance Retrieval API. Microsoft's Compliance Retrieval API supports Global Unique Identifier (GUID) as the unique identifier and, as of July 31, 2023, also supports MAC address-based queries.

The idea is to use SCEP and NDES server on devices that can not join the AD.

Enabling this in ISE:

The question is how a MDM device policy will look like?

Re: ISE GUID

Aref Alsouqi — Thu, 28 Sep 2023 15:19:20 GMT

Why not to set your policies to look at the certificate issuer name, expiry, and the issuer finger print? that way you will only allow the sessions matching those conditions without going down the GUID route. From ISE perspective you associate a new CAP without connecting it to the AD. That's what I usually do for InTune devices authentication.