10-21-2022 02:56 AM
Hi Team,
I am facing an "issue" which to be fair I haven't seen before. I have set up a cisco meraki Wi-Fi solution for a client along with a Cisco ISE. The requirement from the client is to get the employees to authenticate to WiFi against their active directory and intune.
For the first part, all work has been done successfully using as external source the AD and using EAP-TLS to authenticate with certificates. The certificates are being sent to employees' computers via GPO and of course are not exportable. My problem here is that a lot of computers are registered only with Intune and they are not part of AD. According to the client, the hybrid setup they have in Intune is the integration with the on-premises AD. So no Azure AD. Somehow, the tenant in Azure gets the users from the on-premises AD. My question here is how I can intergrade Cisco ISE with Intune (hybrid) and force the users to authenticate with certificates as I did with the AD. Is there any documentation about Cisco ISE and Intune (hybrid)? I underline the word hybrid, as there is no Azure AD.
The goal here is to get some users to authenticate via AD using certificates and some other users via Intune where their PCs are not part of Active Directory.
Last but not least, If I understand correctly, only one system certificate can be used for EAP authentication. Therefor somehow Intune and AD have to share the same CA right?
Many thanks in advance.
Solved! Go to Solution.
10-21-2022 04:52 AM
https://www.youtube.com/watch?v=iAKyIHFqbgE&t=4s
As far as the EAP system certificate on ISE goes, you can only have one certificate bound to EAP on a PSN. As long as the CA that issued that certificate is trusted by all endpoints you are good to go.
10-21-2022 06:31 AM
@ahollifield Thank you for your reply. So in other words I cannot use both, AD on-premises and Intune having 2 different certs for authentication.
10-21-2022 10:31 AM
@ahollifield was pretty clear:
As long as the CA that issued that certificate is trusted by all endpoints you are good to go.
ISE authenticates any certificate if it trusts the signing CA of the endpoint's certificate. By trust I mean the CA certificate (and potentially intermediaries) is/are in the ISE Trusted Certificates store.
Will the endpoint trust ISE? It depends on :
1) the endpoint 802.1X supplicant/agent configuration: ✔ certificate validation - or not
2) what certificates are in the endpoints trusted certificate store. Hopefully the CA that signed your ISE EAP cert is.
3) the certificate you use for ISE PSNs for EAP authentications
10-21-2022 04:52 AM
https://www.youtube.com/watch?v=iAKyIHFqbgE&t=4s
As far as the EAP system certificate on ISE goes, you can only have one certificate bound to EAP on a PSN. As long as the CA that issued that certificate is trusted by all endpoints you are good to go.
10-21-2022 06:31 AM
@ahollifield Thank you for your reply. So in other words I cannot use both, AD on-premises and Intune having 2 different certs for authentication.
10-21-2022 10:31 AM
@ahollifield was pretty clear:
As long as the CA that issued that certificate is trusted by all endpoints you are good to go.
ISE authenticates any certificate if it trusts the signing CA of the endpoint's certificate. By trust I mean the CA certificate (and potentially intermediaries) is/are in the ISE Trusted Certificates store.
Will the endpoint trust ISE? It depends on :
1) the endpoint 802.1X supplicant/agent configuration: ✔ certificate validation - or not
2) what certificates are in the endpoints trusted certificate store. Hopefully the CA that signed your ISE EAP cert is.
3) the certificate you use for ISE PSNs for EAP authentications
10-24-2022 02:33 AM
Cool thanks for your replies guys. I managed to do it by avoiding the Intune and importing certificates to the non-domain PCs.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide