Solved: Cisco ISE 3.2 EAP-TLS with Microsoft AAD with Machine Certs

KatoNakatomi · ‎12-01-2022

Implementing 802.1x using machine certificates issues to endpoint through Intune

Can Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory connection using machine certificate to authenticate the endpoint onto the network?

The article note in Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory - Cisco implies only user certificates can be used.

Note: The certificate-based authentications can be either EAP-TLS or TEAP with EAP-TLS as the inner method. Then, you can select attributes from Azure Active Directory and add them to the Cisco ISE dictionary. These attributes can be used for authorization. Only user authentication is supported.

ADDITIONAL NOTE: The requirement is only to authenticate the device ie a yes\no response to allow device onto the wired\wireless network; there is no requirement to use information about AD groups or posturing\profiling.

Milos_Jovanovic · ‎12-01-2022

Hi @KatoNakatomi,

In general, you can use any cert-based authentication for dot.1x, as long as you imported certificate CA chain on ISE too. Details are one that matters here, because it is never only about authentication. Guide you shared is stating user-based certs, because it is also explaining about ROPC authentication and user group membership based authorization.

If you use machine cert, then AD group authorization can't be leveraged, simply because your machine object probably doesn't exist same way like it does in traditional AD (not sure, not an AAD expert). Also, your machine cert is different from user one, if we speak about native AAD certs, and it might be harder to differentiate devices, if you plan to use any kind of specific authorization.

I've did dot.1x project in which we leveraged on-prem PKI infra with AAD, so devices still got machine certs that we defined, in format we wanted them to be defined, via SCEP protocol.

Kind regards,

Milos

View solution in original post

thomas · ‎12-01-2022

Azure Active Directory is NOT Active Directory. Microsoft wanted to leverage the brand but the actual supported protocols are very different.

ISE can authenticate any user or endpoint certificate based on trusted CAs and certificate attributes. With AD you can do a binary certificate compare. AAD has no such capability to my knowledge.

The real issue is authorization. To lookup assigned user groups in AAD, ISE 3.2+ can do a user lookup to AAD using the certificate Subject Name which MUST match the UPN name in AAD. ISE can then use the user's AAD groups and attributes in Authorization Rules.

ISE does not have an option for getting endpoint groups today. You will need to perform authorization of endpoints using certificates using only certificate attributes or other info about the endpoint in ISE (profile, posture, etc.)

View solution in original post

Greg Gibbs · ‎12-01-2022

To add to what @thomas and @Milos_Jovanovic stated... a Device in AzureAD is not the same as a Computer in traditional AD.

You can see in AAD that the Device has no UPN or detailed attributes compared to a User. As such, there is no way for ISE to authenticate/authorize a Device based on credentials or groups.

At this time, the only way you would be able to authenticate/authorize a Computer based on the credentials and groups without on-prem AD infrastructure would be to deploy traditional AD infrastructure in the cloud and have those computers Hybrid Azure AD Joined. ISE would then integrate with that traditional AD the same way it does with an on-prem AD. On top of this, you could leverage MDM compliance checks against Intune as part of your authorization rules if you wish.

I have customers that leverage cloud-based traditional AD infrastructure due to the many ways that AzureAD != AD, and is therefore not a replacement for traditional AD infrastructure.

View solution in original post

Milos_Jovanovic · ‎12-01-2022

Hi @KatoNakatomi,

In general, you can use any cert-based authentication for dot.1x, as long as you imported certificate CA chain on ISE too. Details are one that matters here, because it is never only about authentication. Guide you shared is stating user-based certs, because it is also explaining about ROPC authentication and user group membership based authorization.

If you use machine cert, then AD group authorization can't be leveraged, simply because your machine object probably doesn't exist same way like it does in traditional AD (not sure, not an AAD expert). Also, your machine cert is different from user one, if we speak about native AAD certs, and it might be harder to differentiate devices, if you plan to use any kind of specific authorization.

I've did dot.1x project in which we leveraged on-prem PKI infra with AAD, so devices still got machine certs that we defined, in format we wanted them to be defined, via SCEP protocol.

Kind regards,

Milos

thomas · ‎12-01-2022

Azure Active Directory is NOT Active Directory. Microsoft wanted to leverage the brand but the actual supported protocols are very different.

ISE can authenticate any user or endpoint certificate based on trusted CAs and certificate attributes. With AD you can do a binary certificate compare. AAD has no such capability to my knowledge.

The real issue is authorization. To lookup assigned user groups in AAD, ISE 3.2+ can do a user lookup to AAD using the certificate Subject Name which MUST match the UPN name in AAD. ISE can then use the user's AAD groups and attributes in Authorization Rules.

ISE does not have an option for getting endpoint groups today. You will need to perform authorization of endpoints using certificates using only certificate attributes or other info about the endpoint in ISE (profile, posture, etc.)

Greg Gibbs · ‎12-01-2022

To add to what @thomas and @Milos_Jovanovic stated... a Device in AzureAD is not the same as a Computer in traditional AD.

You can see in AAD that the Device has no UPN or detailed attributes compared to a User. As such, there is no way for ISE to authenticate/authorize a Device based on credentials or groups.

At this time, the only way you would be able to authenticate/authorize a Computer based on the credentials and groups without on-prem AD infrastructure would be to deploy traditional AD infrastructure in the cloud and have those computers Hybrid Azure AD Joined. ISE would then integrate with that traditional AD the same way it does with an on-prem AD. On top of this, you could leverage MDM compliance checks against Intune as part of your authorization rules if you wish.

I have customers that leverage cloud-based traditional AD infrastructure due to the many ways that AzureAD != AD, and is therefore not a replacement for traditional AD infrastructure.

dm2020 · ‎02-08-2023

Hi @Greg Gibbs

I have read your recent Security Knowledge Base article on this subject (https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635) and you state in the article that Azure AD Device EAP-TLS ISE Authentication is not currently supported which is understood as there is no device credential concept in Azure AD. However, i'm assuming that it is feasible for Azure Devices to authenticate using EAP-TLS against ISE only (similar to how user authentication works with certificate only validation) with no AD verification lookup? Is this a supported scenario?

Greg Gibbs · ‎02-08-2023

Yes, it would be similar to the 'Authorization with Azure AD and EAP-TLS' section of that whitepaper.

The difference is that you also would only be able to authorize the device based on a valid certificate and Intune compliance (if that is configured). If Intune integration using ADCS and the Intune Certificate Connector is not available, you would only be able to authorize based on a valid certificate so that would not be a very secure option.