topic Re: ISE 3.2 dot1x authentication with Intune issued certificates in Network Access Control

ISE 3.2 dot1x authentication with Intune issued certificates

Carlos T — Wed, 22 Nov 2023 23:24:36 GMT

Hi,

Requirement is to enable dot1x wired authentication/authorization for Intune registered devices. There is only Azure AD and Intune. There is NO On premise component (no on premise/traditional AD, or ADCS)

According to the following link, we need ADCS so Intune can issue certificates for the endpoints, so then ISE can use the certificate for authenticate and authorize the device/user.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune - Page 2 - Cisco Community

After the endpoint is registered with Intune, I see by default that Intunes push/deploy a certificate for the endpoint signed by "Microsoft Intune MDM Device CA".

Can this certificate be used for authentication and authorization? instead of using SCEpman or ADCS? I dont see it mentioned on the guide, they are just showing to use ADCS and on the QA they used SCEPman, but why not use the default cert provided by Intune?

Thanks!

Re: ISE 3.2 dot1x authentication with Intune issued certificates

Greg Gibbs — Thu, 23 Nov 2023 02:24:52 GMT

No, it is not possible to use the certificate issued by "Microsoft Intune MDM Device CA". This certificate is stored in the Computer certificate store. Windows will not present a Computer certificate for a dot1x User authentication session.

Even if it were a User certificate, there is no User Principal name nor the Intune GUID inserted in the CN or SAN field.

Re: ISE 3.2 dot1x authentication with Intune issued certificates

Carlos T — Thu, 23 Nov 2023 02:30:40 GMT

Thanks Greg, so the only option is to use the ADCS for the user/device certificates as mentioned on your document.

ADCS is a traditional solution. if we want a cloud only solution, SCEPman could be used. Is Cisco ok using Scepman instead of ADCS?

Thanks!

Re: ISE 3.2 dot1x authentication with Intune issued certificates

Greg Gibbs — Thu, 23 Nov 2023 03:48:46 GMT

ISE is not involved in any part of the certificate enrolment. As long as the certificate includes the necessary attributes for relevant use case (UPN for User AuthZ against Entra ID; URI with GUID for Intune compliance check), there should be no issues.

ISE will need the CA Root chain (including any Intermediate/Issuing CAs) for SCEPman in the Trusted Certificates store to trust the certificate issued by the client. The client will need to trust the Root CA that signed the ISE EAP certificate in the Wired/Wifi Profile to trust the cert presented by ISE.

Re: ISE 3.2 dot1x authentication with Intune issued certificates

Steve Burkett — Thu, 08 Feb 2024 07:21:53 GMT

In case you missed it, there is a Microsoft Cloud PKI service on the way as part of the Microsoft Intune Suite. SCEPman probably still works out cheaper though.

Re: ISE 3.2 dot1x authentication with Intune issued certificates

jitendrac — Thu, 18 Apr 2024 17:00:26 GMT

Any idea if ISE 3.3 support Microsoft Cloud PKI that can be used for EAP TLS with Microsoft Entra ID for user certificate based authentication ?