topic Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate in Network Access Control

ISE 3.2 Azure AD - Intune authentication/authorization certificates

Carlos T — Thu, 23 Nov 2023 02:16:03 GMT

Hi,

By reading many times this article would like to clarify the following on a Cloud only environment (Azure AD and Intune, NO ADCS and NO traditional AD):

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune - Page 2 - Cisco Community

Authentication Questions:

1. For dot1x authentication with Entra ID (Azure AD) using REST, only user authentication is possible, and not computer authentication? There is no need for a certificate as only the user credentials (Azure AD credentials) are needed every time the user is connected to the network? So No need to deploy/push a certificate for authentication to succeed?

2. For dot1x authentication with Entra ID (Azure AD) using EAP-TLS, do we need to deploy a certificate for the user? and a separate certificate for the device? If we don't have ADCS, is there any method to deploy the user and device certificate? I see a device certificate is automatically sent by Intune to the registered devices (device cert signed by “Microsoft Intune MDM Device CA”), but what about a user certificate?

3. Can the Intune deployed certificate signed by “Microsoft Intune MDM Device CA” be used for authentication? I see it is only referenced in the authorization part on the document, but not for authentication. And as I believe is a device certificate it can be used only for device authentication but not user authentication?

Authorization

Finally for authorization, will be just ISE query to intune if the device is compliant or not, and for that is it correct that it will use the device certificate (the one that is automatically sent by Intune to the registered devices, device cert signed by “Microsoft Intune MDM Device CA”) ?

So for authentication and authorization it uses the same certificate? or uses different certificates? user certificate for authentication? and device certificate for authorization?

Thanks

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Thu, 23 Nov 2023 02:48:12 GMT

As discussed in the referenced document, there is no way to authenticate a 'Device' against Entra ID.
For the EAP-TTLS(PAP) use case, no certificate is required. It requires ROPC configured as per the Configure ISE 3.0 REST ID with Azure Active Directory guide. This use case is also limited to max 50 authentications per second as per the Performance and Scalability Guide for Cisco ISE
As there is no way for ISE to learn the GUID, it is not possible to use Intune compliance as an authorization condition for this use case.

Yes, you must have a user certificate for EAP-TLS You would need a PKI solution that is capable of integrating with Intune to enrol a computer and/or user certificate on behalf of the endpoint. The certificate must also have the GUID inserted for ISE to perform a compliance check against Intune.

Intune does not enrol a User certificate that is suitable for dot1x User authentication or Intune compliance check by ISE.

This question was answered in this duplicate post - https://community.cisco.com/t5/network-access-control/ise-3-2-dot1x-authentication-with-intune-issued-certificates/td-p/4964739

The referenced document discusses how Windows presents the Computer cert in the Computer state and the User cert in the User state. ISE performs authorization based on the certificate values presented by the client in the relevant state.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

carrols1 — Sun, 19 May 2024 14:33:59 GMT

Hi,
I also have the same question about the user certificate of Azure Entra ID users. According to this configuration guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html I tried with ISE3.2 patch 5. But authentication was not successful. Authentication using EAP-TLS process how that user certificate deploys for each user ? Do we have to deploy user certificate for each user, or it automatically done from cisco ISE.?
User certificate:

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Mon, 20 May 2024 22:36:32 GMT

I'm not sure I understand the question. You mention that Authentication was not successful, but you only shared a screenshot of your Authorization policy. What is the exact problem, what does the relevant policy look like, and what are you seeing the detailed logs?

As stated in the documents, ISE authentication is only performed based on a valid and trusted certificate. With EAP-TLS, ISE needs to trust the client certificate, and the client needs to trust the ISE EAP certificate so you need to ensure both the client and ISE have the necessary Root/Intermediate CA certificates in their relevant trust stores.

The certificate enrolment on the client is done by Intune. Each user should have a unique certificate and ISE is not involved in the enrolment process.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

shujath-syed — Mon, 02 Dec 2024 10:47:57 GMT

I have two questions:

1. If I use on-prem PKI will that have to be called from Intune as certificate connector?

2. Can I still continue without PxGrid on ISE if I want to use on-prem PKI for NAC via azure ise?

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Mon, 02 Dec 2024 22:48:29 GMT

1. If you intend to use the MDM integration for ISE to check compliance against Intune, then Intune must be integrated with your PKI so the GUID can be inserted in the certificate.

2. pxGrid has no specific relation to either the PKI or authorization against Entra ID

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

shujath-syed — Tue, 03 Dec 2024 15:08:56 GMT

1. Is that possible without ISE premier license? I thought for compliance check we need ISE premier? I have essentials license, do I need to upgrade to advantage or premier?

and if the certificate connector in Intune integrates with Jamf Pro (to support mac-os) in above scenario?

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Tue, 03 Dec 2024 21:59:36 GMT

Yes, the MDM integration features require the Premier licensing. See the ISE Licensing Guide for more information.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html

The Intune Certificate Connector provides integration with your PKI, not with another MDM (Jamf Pro, in this case).

This conversation has strayed far past the original topic of discussion. For any new queries, please submit a new question on the Community.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

migkniatovits — Mon, 04 Aug 2025 13:20:30 GMT

Hey @Greg Gibbs ,

I'm trying to determine the best way to implement 802.1X with EAP-TLS on ISE 3.3 patch 7, specifically for both machine and user authentication on devices & users that are joined to Entra ID — similar to how it works with traditional on-prem AD-joined computers and users.

Would the section titled "Entra Joined Device and Entra User with TEAP (EAP-TLS) and EAP Chaining" in your original thread be the most appropriate approach to mirror the old setup?

From what I understand (please correct me if I'm wrong), true machine authentication—as it was done with AD computer accounts—is not directly possible with Entra ID.

Thank you in advance.
Mile.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Tue, 05 Aug 2025 05:24:47 GMT

Yes, that scenario would likely fit your use case.

As discussed in that blog, neither authentication of the device nor user are possible against Entra ID when using EAP-TLS.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

migkniatovits — Tue, 05 Aug 2025 06:18:18 GMT

Hi Greg,

Thank you for your prompt response.

Would you recommend a different approach in this case?
Have you encountered a similar scenario where a customer had implemented both machine and user authentication for on-premises Active Directory, and later aimed to migrate their users to Entra ID?

Looking forward to your insights.

Re: ISE 3.2 Azure AD - Intune authentication/authorization certificate

Greg Gibbs — Tue, 05 Aug 2025 23:34:54 GMT

That would be the closest possible option with the current capabilities.

There is a feature enhancement coming in ISE 3.5 that will allow you to perform Authorization of the Entra Joined device based on group/attribute as well (similar to the EAP-TLS User Authorization flow). This may also be available after that via a patch in 3.4.

The simple fact of the matter is that Entra ID is not AD in the cloud, so 'like-for-like' will have it's limitations.