topic Re: Wireless NAC via Azure ISE using ON-Prem PKI in Network Access Control

Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Wed, 04 Dec 2024 21:05:53 GMT

@Greg Gibbs - Hi I looked at your article its very helpful.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

I am trying to do NAC on wireless via ISE in Azure using on-prem PKI which will enroll windows machines in Intune. I am going to use certificate connector for On-prem PKI. I read it doesn't support ISE essentials and I need ISE advantage as a minimum. Can you advise which license will be suitable - ISE Essentials, advantage or Premier. I can't see this clearly from Cisco ISE Licensing guide.

I don't intend to use compliance based auth, I only intend to use cert-based auth. So for this do I need ISE advantage or Premier?

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Wed, 04 Dec 2024 22:00:11 GMT

"I read it doesn't support ISE essentials and I need ISE advantage as a minimum"

Where did you read this?

The certificate enrolment happens outside of any control by ISE. If you only plan to use the enrolled certificates to authenticate the Users/Devices via EAP-TLS (and no other features such as Profiling, MDM, etc), this falls under the 'AAA and 802.1X' use case covered by the Essentials licenses.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Thu, 05 Dec 2024 09:31:26 GMT

Ok thank you very much

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Thu, 05 Dec 2024 22:58:33 GMT

Lastly can I ask in the above context what best can I do for mac-os which are enrolled in Jamf pro (not many).

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Tue, 10 Dec 2024 21:13:44 GMT

The same approach would generally be taken. Integrate Jamf Pro with your PKI, enroll certificates on the MacOS endpoints, and authenticate them via EAP-TLS.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Tue, 14 Jan 2025 12:10:37 GMT

Hi - I am doing a POC for this using on-prem PKI. My ISE is stood up in azure now. Can you advise what are the key elements that I should be configuring? if there is any article you know on this please share.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Tue, 11 Feb 2025 15:28:21 GMT

Hi - I just wanted to check Since I am not doing and ISE integration with Intune/Entra ID and I can't use GUID in ISE polices to match for auth as there are thousands of machines. What do you advise to match against - something like issuer CN would make sense? This way anything presented by the CA server to the machines will be authenticated by ISE. I just need to define CA server in ISE's external CA settings. You think its workable?

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Wed, 12 Feb 2025 00:33:05 GMT

If you are using EAP-TLS and only authenticating and authorising the session based on the certificate (not performing checks against any external identity store), then you would be limited to the information provided to ISE in the certificate.

Ideally, you would want to use matching conditions in the AuthC/AuthZ policies that match on unique attributes in the certificate. These could include the Issuer CN, Subject OU, etc, and would depend on how you have defined your certificate templates and profiles.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Wed, 12 Feb 2025 21:37:50 GMT

Yes that's exactly what I am looking to do because I only wish to do NAC policies using cert fields or issuer etc as I have ISE essentials (can't upgrade to higher license due to costs) so I don't think I have more options available, because if I want to do any checks against external Identity store I will need higher license than ISE, right?. Do you believe this is still a workable basic level NAC? please see your first comment in this post which is exactly what I am doing.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Wed, 12 Feb 2025 22:06:54 GMT

Performing checks against external Identity Stores (AD, Entra ID User AuthZ, etc) are part of the 'AAA and 802.1X' use case covered by the Essentials licenses.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Tue, 18 Feb 2025 20:33:16 GMT

Many Thanks, it works when I allow EAP-TLS in AuthC/Z policies and enter CN=GUID in the conditions. But this is when I enter a GUID manually in the policy under conditions of AuthC/Z. I also see the logs "Found Endpoint in Internal Endpoints IDStore" against that particular CN/GUID of single machine. But if I want to check for all thousands of machines, what can I do. I did refer to your article Cisco ISE with Microsoft Active Directory, Entra ID, and Intune but I cannot find how to check against entra with ISE essentials. Do I select issuer instead of Certificate CN? I cannot create auth profile in ext identity because entra doesn have domain controller. Unless I enter CN/GUID manually in authC/Z policies of every single machine I don't know how I can check against ID store Entra. Any Idea?

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Tue, 18 Feb 2025 21:14:44 GMT

The UPN is used to check Identity against Entra ID. The GUID is used to check Registration/Compliance against Intune.
These are two separate functions that use different API calls.

As clearly stated in the blog that you referenced:
"As the Intune Registration and/or Compliance lookups are functions of the MDM Compliance feature in ISE, any sessions using these conditions will require a Premier license as per the Cisco ISE Licensing Guide."

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Tue, 18 Feb 2025 23:40:33 GMT

I am using 'AAA and 802.1X' use case covered by the Essentials licenses. Can I use UPN in this case?

because I am receiving machine certificate and it has GUID/Intune device ID in the subject field of the machine certificate. I am using on-prem pki which is integrated with certificate connector. Do I need to tell On-prem PKI to issue UPN in the subject field of the machine certificate instead of GUID?

or a UPN can only be issued to a user certificate and not device certificate? because I am using device certificate, what can I match now?

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Mon, 03 Mar 2025 14:09:21 GMT

I am using a machine certificate and ISE is only validating based on the certificate that is presented to it. I am using issuer CN. its all working fine, but its also authenticating REVOKED machine certificates. I checked the comms between ISE and OCSP server is not working. You think fixing this comms would block revoked cert and allow valid certs.

Also, do we need to enter OCSP public or private URL in the OCSP profile configured in ISE. (I have checked in UNKNOWN and Unreachable btw)

Note: because we are using machine certs we are not checking against external identity (with entra in our case). I hope this is not linked with above scenario?

Re: Wireless NAC via Azure ISE using ON-Prem PKI

Greg Gibbs — Mon, 03 Mar 2025 23:35:00 GMT

If you have configured CRL and/or OCSP settings in your Root or Intermediate trusted certificates, and ISE can reach those services, it will perform a revocation check during the Authentication process.

Public vs. Private URL is entirely dependent on your environment and how ISE would communicate with that service. These comms would also be impacted by any proxy configured, so you may need to add those FQDNs to the 'bypass' list in the ISE proxy settings.

Re: Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed — Tue, 11 Mar 2025 19:05:43 GMT

My POC has worked but when I did some pilot sites on the on prem ISE I am having two issues.

1. When I uploaded and binded the server certificate (from onpre PKI) for eap authentication. the existing eap authentication got moved here. The Win11 machines worked on the existing corp ssid but win10 didn't. I got an error saying ise is not trusting client certificate being presented. I disabled my new nac ssid policy yet the corp ssid won't work for win10 but works for win11. The Win11 are on Intune and Win10 is by AD. But I see server certificate on both win10 and win 11 in trusted and intermediate store on both the machines. Not sure how can I seamslessly implement it without causing an outage.

2. I am thinking I will rollout the machine certs to no just pilots but all win10 in the estate but this way it poses risk of multiple incidents. But I believe regardless if its win10 or win11 if its issued with a new machine cert from PKI/cert connector the machines will continue to connect on the existing corp ssid regardless if it works on new nac enalbed ssid or not.

3. a quick question on the ISE policy - I am placing the new nac ssid at the top in the policy table using nas id in the wlc and also in ise policy along with radius wireless 802.1x to make sure existing corp ssid traffic doesn't hit this policy and isn't affected is this right approach?