cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

76
Views
0
Helpful
1
Replies

ISE MDM WLAN 802.1x EAP-TTLS: validate server cert only + MDM compliancy status

Hi,

 

I have the following question and situation.  I have computer connected to Microsoft Azure AAD only not locally domain joined.

These devices are registered inside intone.

I would like to grant access to the WIFI if the device is in compliant inside intune.  And maybe check the ISE Certificate only.

I do not want to use client or computer certificates.  

I am using Cisco WLC.

Is this possible or will I always need client or computer certificate?
Where do I need to look I read the with EAP-TTLS no client cetficiate is required but I think you still need username and password.

How to best approach this?

 

1 REPLY 1
Highlighted
VIP Advocate

Re: ISE MDM WLAN 802.1x EAP-TTLS: validate server cert only + MDM compliancy status

If you are not using client certificates, then what authentication method are you using to identify the clients to ISE?  Username and Password? If so then you won't be able to lookup/verify those credentials against AzureAD.

If using a public AD like AzureAD, your only option is to use client certificates, and you can use Secure LDAP to AzureAD to allow ISE to pull the AD Groups for the username specified in the certificate - that will allow you some flexibility in the AuthZ creation.

 

The Intune integration is pretty well supported as far as I know. That part should be doable.