cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
307
Views
0
Helpful
3
Replies

Cisco ISE in a Microsoft Co-managed / Hybrid Joined Environment

CoopGT
Level 1
Level 1

Our organization has been using Cisco ISE for network access control and are encountering a situation that we are struggling determine the next and/or proper approach. I'll summarize in point form...

  • Our laptop fleet is co-managed (Config Manager and Intune) and hybrid AD joined (On prem / EntraID) 
  • ISE has been configured for network access control on our workstations using Computer authentication and PEAP-MSCHAPV2
  • We are transitioning our fleet to Windows 11 23H2 and leaving credential guard enabled, thus can no longer use the above
  • A second identity source for certificate authentication was configured
    • Check AD identity store for cert attribute Subject - Common Name, Always perform binary compare
  • Supplicant configuration is deployed via either GPO to Win10 or Intune for Win11
    • Win 11 - Use the computer certificate with simple cert selection 
  • Computer certs managed two ways
    • On prem CA issuing auto enroll PKCS certificates published to AD
    • Intune configuration for obtaining SCEP cert from same CA
  • Certificates have identical information such as CA, CN and Intended purposes
  • We are not yet leveraging the Intune / ISE integration but are considering this

The issue here occurs as there are two device certificates the PKCS and the SCEP, one published to AD and one not. The computer will present the certificate with the newest creation date, if the SCEP cert is sent then it is not found in AD as it is not published there (and Binary compare is on)

We are trying to determine how to best proceed with this and what is the most correct / industry standard approach here. 

  • Reviewing publishing SCEP cert to AD didn't work and was advised this shouldn't be done
  • Reviewing turning off Binary Compare had concerns of lesser security
  • There doesn't appear to be any supplicant configuration to determine a specific certificate to be sent
    • As they come from the same CA and have the same purposes, we cant narrow it down **rther 

 

3 Replies 3

Binary compare is where I would focus.  Eventually I assume all devices will be registered in Entra ID and InTune only rendering binary compare useless correct?

Yes, ultimately I presume that's where we will be, how long it will be to get there is an unknown at this time.
With you expertise, would you have a good response to those who may have concerns with potential reduced security due to turning off binary compare?
My perspective is while it may not be the exact cert that is presented, it still matches details to what is published to AD which I figure is still quite secure (Same CA, CN, Purposes).

Yeah I don't have any readily available resource but your assumptions regarding the issuance, OU, etc. are correct. If your private keys are set to non-exportable and you practice good PKI practices like multi-tier, offline root, etc. I personally believe disabling binary compare has relatively low risk.