cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
226
Views
0
Helpful
2
Replies

Azure ID ISE 3.2 dot1x Device EAP-TLS Authentication/Authorization

mzarli
Level 1
Level 1

 

Dear Cisco Community, 

sofar i understand, it is possible to authenticat device using its certificate. The Authentication in this case is only based on the device presenting a valid  certificate that is trusted by ISE.

is it possible to leverage REST ID to perform the Group/Attribute lookup  as a condition for authorization? when no what is alternatives while Computer Authentication is deployed 

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune 

@Greg Gibbs 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.

As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.

As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.

Many Thanks Greg