Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1394
Views
10
Helpful
3
Replies

Authenticate on UPN and or SAM Logon

Go to solution
craiglebutt
Level 4
Level 4

‎11-23-2022 02:54 AM - edited ‎11-23-2022 10:27 AM

Hi

ISE 2.7, patch 7

So using Intune  for BYOD, some users are having issues connecting, The UPN and SAM name doesn't match, so need to add userprincipalname to the attributes.

My manager is very risk oversee, so just want to check that there is no issues adding "UPN" attribute so the accounts that don't match will authenticate, as to me this just means another field to auth against.

 

thanks in advance

 

Craig

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
craiglebutt
Level 4
Level 4

‎01-27-2023 02:21 AM

Hi

I added userprincipalname to the attributes, but this still didn't work, had a cal with TAC, they had issues as well.

I did sort the issue in the end, under Certificate Authentication Profile, I changed the use idenity from certificate attribut to and subject name attribut in the certificate, this resolved the issue.

cheers

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-11-2022 03:24 PM

To avoid ambiguity, UPN is preferred as it is supposedly unique for an org. SAM is shorter so easier for inputs. Please balance the benefits based on your organization policies and assessments.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-15-2022 03:05 PM - edited ‎12-15-2022 03:06 PM

Have you seen our ISE Webinar for ISE with Intune?

ISE Integration with Intune MDM

02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD

0 Helpful

Go to solution
craiglebutt
Level 4
Level 4

‎01-27-2023 02:21 AM

Hi

I added userprincipalname to the attributes, but this still didn't work, had a cal with TAC, they had issues as well.

I did sort the issue in the end, under Certificate Authentication Profile, I changed the use idenity from certificate attribut to and subject name attribut in the certificate, this resolved the issue.

cheers

0 Helpful
Customers Also Viewed These Support Documents