Android Devices onboarded to Intune Failing Wired MAB Authorization

aliinbabyy · ‎01-16-2025

We are trying to authenticate and authorize hp poly phones in ISE using wired MAB. The devices are onboarded to Intune and ISE is also integrated with intune. Authorization policies are defined based on the compliance status of the phones in Intune. The issue is that, since the devices are running on Android 12, the MAC address are not being sent due to the security policies and it is not learnt by Intune. So when ISE is querying the device using the MAC address to intune it is receiving response as device not found which inturn cause the authorization policy to fail due to compliance status not fetched correctly. We have planned to push certificates to the devices to check if ISE can find the devices based on the cert based identifiers - CN GUID/SAN GUID. But TAC is confirming that it will not work as we are using wired MAB. Any advice or any other alternate solutions on this issue?

ahollifield · ‎01-16-2025

You need to use certificate GUID. Not MAC address.

https://cs.co/ise-berg#intune

aliinbabyy · ‎01-16-2025

Do you mean to say certificate GUID device identifiers wont work if we are using wired MAB authentication?

Greg Gibbs · ‎01-19-2025

If you are pushing certificates to the endpoints in order to use the GUID in the CN or SAN for lookup against Intune, then why wouldn't you use the same certificate to implement 802.1x authentication using EAP-TLS?

In order to use the GUID-based MDM lookup, the endpoint must provide the certificate to ISE so it can learn the GUID. This does not happen with MAB.