cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
10
Helpful
3
Replies

Authenticate on UPN and or SAM Logon

craiglebutt
Enthusiast
Enthusiast

Hi

ISE 2.7, patch 7

So using Intune  for BYOD, some users are having issues connecting, The UPN and SAM name doesn't match, so need to add userprincipalname to the attributes.

My manager is very risk oversee, so just want to check that there is no issues adding "UPN" attribute so the accounts that don't match will authenticate, as to me this just means another field to auth against.

 

thanks in advance

 

Craig

1 Accepted Solution

Accepted Solutions

craiglebutt
Enthusiast
Enthusiast

Hi

I added userprincipalname to the attributes, but this still didn't work, had a cal with TAC, they had issues as well.

I did sort the issue in the end, under Certificate Authentication Profile, I changed the use idenity from certificate attribut to and subject name attribut in the certificate, this resolved the issue.

cheers

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

To avoid ambiguity, UPN is preferred as it is supposedly unique for an org. SAM is shorter so easier for inputs. Please balance the benefits based on your organization policies and assessments.

thomas
Cisco Employee
Cisco Employee

Have you seen our ISE Webinar for ISE with Intune?

ISE Integration with Intune MDM

02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD

craiglebutt
Enthusiast
Enthusiast

Hi

I added userprincipalname to the attributes, but this still didn't work, had a cal with TAC, they had issues as well.

I did sort the issue in the end, under Certificate Authentication Profile, I changed the use idenity from certificate attribut to and subject name attribut in the certificate, this resolved the issue.

cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers