Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
194
Views
0
Helpful
2
Replies

ISE as Radius Server with InTune Creds?

jmorton1
Level 1
Level 1

‎01-28-2025 08:05 AM

Currently, in order for users in our organization to authenticate to our secure wifi, they are prompted for their windows AD creds, and if they authenticate successfully, and their machine has the ISE radius certificate, then the user is allowed to access the wireless via ISE. The wireless profiles are currently pushed out by in-prem GPO.

However, we are looking to have users authenticate to the wifi using Microsoft 365 credentials and e hope to have the wifi profile pushed out by Microsoft InTune instead of our on-prem GPO. Has anyone veer used InTune to do this, and if so, how did you get the requests to forward to ISE?

Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎02-13-2025 03:17 AM

This is possible. Intune has no part to play in making requests to ISE.  Intune is responsible for pushing configurations to the endpoints (mobile, or PC etc.) and most importantly, to create the wireless profile on the endpoint - this includes the CA certificate chain of ISE (or whatever RADIUS server you are using ... let's say, it's ISE) as well as the client certificate, in the case of EAP-TLS.

The RADIUS requests are made by the WLC Controller (or WAP) when an endpoint connects to the WPA2/3-Enterprise SSID, using an EAP method, such as EAP-PEAP (MS-CHAPv2) or EAP-TLS. You mentioned user credentials - that is EAP-PEAP (MS-CHAPv2) and it's the crudest (but easiest) way to get endpoints onto an 802.1X protected network. It's not going to be around much longer because Microsoft is trying to kill off this method, since users are passing sensitive data from their devices to the network. MS will block the access to these creds using a feature called Credential Guard. I think you can bypass it (GPO) but not advisable. The better approach is NOT to use credentials, but to make Intune push a certificate to the endpoints instead. Easier said than done ... but that's the reality.  Proper security requires more effort on our part - but Intune is helping make this easier - I think MS now has a cloud based PKI that assists here - but I have no experience with it.

That's ISE Authentication - either EAP-PEAP (username/password) or EAP-TLS (certificate).  Let's assume you have one of these working. Now comes ISE Authorization. It's optional, but highly advised, since you don't want anyone in the AD user directory connecting to your network - so typically you Authorize based on AD Security Group Membership.  How is that done when all this lives in Azure (or EntraID) ?  ISE has a trick up its sleeve - it's called ROPC protocol. It make a TLS connection from your ISE to the Microsoft Cloud. In this TLS tunnel you can perform AD Group lookups to see if your user is a member of AD Group XYZ.  And by the way, the last time I tried this, you could even pass username/password over this ROPC tunnel - but then you're not using EAP-PEAP anymore - you must use EAP-TTLS, which makes a secure TLS tunnel, and then passes the user creds in clear text. And Microsoft supports EAP-TTLS out of the box, but Apple iOS doesn't (it does via MDM/configurator). I think Android also supports it.

Have a look for ISE and ROPC Cisco links here.

0 Helpful

zueskalvin
Level 1
Level 1

‎02-13-2025 08:57 AM - edited ‎02-16-2025 04:15 AM

@jmorton1 wrote:

Currently, in order for users in our organization to authenticate to our secure wifi, they are prompted for their windows AD creds, and if they authenticate successfully, and their machine has the ISE radius certificate, then the user is allowed to access the wireless via ISE. The wireless profiles are currently pushed out by in-prem GPO.

However, we are looking to have users authenticate to the wifi using Microsoft 365 credentials and e hope to have the wifi profile pushed out by Microsoft InTune instead of our on-prem GPO. Has anyone veer used InTune to do this, and if so, how did you get the requests to forward to ISE? Best color combinations for home Decorating

Yes, you can use Microsoft Intune to push Wi-Fi profiles and authenticate via Microsoft 365 credentials. To forward requests to ISE, configure Enterprise Wi-Fi profiles in Intune with EAP-TLS or PEAP-MS-CHAPv2 authentication. Ensure:

  1. Azure AD Join or Hybrid Join: Devices must be enrolled in Intune and registered in Azure AD.
  2. RADIUS Configuration: ISE must trust Azure AD identities (via SAML or OAuth) and support authentication requests.
  3. NPS Extension for Azure MFA: If MFA is required, integrate NPS with Azure AD for authentication.
0 Helpful
Customers Also Viewed These Support Documents