cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
15
Helpful
4
Replies

Cisco ISE integration with MS Intune hybrid

Nick Mavrou
Level 1
Level 1

Hi Team,

I am facing an "issue" which to be fair I haven't seen before. I have set up a cisco meraki Wi-Fi solution for a client along with a Cisco ISE. The requirement from the client is to get the employees to authenticate to WiFi against their active directory and intune.

For the first part, all work has been done successfully using as external source the AD and using EAP-TLS to authenticate with certificates. The certificates are being sent to employees' computers  via GPO and of course are not exportable. My problem here is that a lot of computers are registered only with Intune and they are not part of AD. According to the client, the hybrid setup they have in Intune is the integration with the on-premises AD. So no Azure AD. Somehow, the tenant in Azure gets the users from the on-premises AD. My question here is how I can intergrade Cisco ISE with Intune (hybrid) and force the users to authenticate with certificates as I did with the AD. Is there any documentation about Cisco ISE and Intune (hybrid)? I underline the word hybrid, as there is no Azure AD. 

The goal here is to get some users to authenticate via AD using certificates and some other users via Intune where their PCs are not part of Active Directory.

Last but not least, If I understand correctly, only one system certificate can be used for EAP authentication. Therefor somehow Intune and AD have to share the same CA right?

Many thanks in advance. 

3 Accepted Solutions

Accepted Solutions

https://www.youtube.com/watch?v=iAKyIHFqbgE&t=4s

As far as the EAP system certificate on ISE goes, you can only have one certificate bound to EAP on a PSN.  As long as the CA that issued that certificate is trusted by all endpoints you are good to go.

View solution in original post

Nick Mavrou
Level 1
Level 1

@ahollifield Thank you for your reply. So in other words I cannot use both, AD on-premises and Intune having 2 different certs for authentication.

View solution in original post

@ahollifield was pretty clear:

As long as the CA that issued that certificate is trusted by all endpoints you are good to go.

ISE authenticates any certificate if it trusts the signing CA of the endpoint's certificate. By trust I mean the CA certificate (and potentially intermediaries) is/are in the ISE Trusted Certificates store.

Will the endpoint trust ISE? It depends on :
1) the endpoint 802.1X supplicant/agent configuration: ✔ certificate validation - or not
2) what certificates are in the endpoints trusted certificate store. Hopefully the CA that signed your ISE EAP cert is.
3) the certificate you use for ISE PSNs for EAP authentications

View solution in original post

4 Replies 4

https://www.youtube.com/watch?v=iAKyIHFqbgE&t=4s

As far as the EAP system certificate on ISE goes, you can only have one certificate bound to EAP on a PSN.  As long as the CA that issued that certificate is trusted by all endpoints you are good to go.

Nick Mavrou
Level 1
Level 1

@ahollifield Thank you for your reply. So in other words I cannot use both, AD on-premises and Intune having 2 different certs for authentication.

@ahollifield was pretty clear:

As long as the CA that issued that certificate is trusted by all endpoints you are good to go.

ISE authenticates any certificate if it trusts the signing CA of the endpoint's certificate. By trust I mean the CA certificate (and potentially intermediaries) is/are in the ISE Trusted Certificates store.

Will the endpoint trust ISE? It depends on :
1) the endpoint 802.1X supplicant/agent configuration: ✔ certificate validation - or not
2) what certificates are in the endpoints trusted certificate store. Hopefully the CA that signed your ISE EAP cert is.
3) the certificate you use for ISE PSNs for EAP authentications

Nick Mavrou
Level 1
Level 1

Cool thanks for your replies guys. I managed to do it by avoiding the Intune and importing certificates to the non-domain PCs.

Cheers