cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

536
Views
5
Helpful
5
Replies
Cisco Employee

Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Hi Experts,

 

I'm following the guide to integrating ISE with Intune. 

 

In the step of 'Export ISE System Certificate', I got stuck since my customer uses all CA signed certificates separated by Admin, Portal, EAP-Auth, pxgrid service.

 

Which one shall I export in this case? 

 

Additionally, if it is the one EAP-Auth cert I should export, is it needed to have EKU both client authentication (1.3.6.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) in the certificate? 

 

Currently, we only have Server auth for the purpose of client 802.1x EAP-TLS.

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE
5 REPLIES 5
VIP Advisor

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE
Cisco Employee

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Hi Mohammed,

Thank you for your response. Is the EKU mandatory?
I'm referring to doc: https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897
It is said only pxgrid cert requires both server/client auth EKU.

If I have to revise my admin cert with both EKU, I think I have to deregister my cluster (8 nodes) and register again with new cert, am I right?
VIP Advisor

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

I replied to your private message :)
Cisco Employee

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

What Mohammed al Baqari said appears correct. It appears Microsoft Intune using the ISE admin certificate(s) to validate the requests and, hence, the client auth on them.

Highlighted
Cisco Employee

Re: Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Thank you for your verification.