Solved: Cisco ISE with AADJ device and user first login

nieks · ‎03-22-2023

Hi,

I want to deploy Cisco ISE 3.2 with EAP-TLS authentication and AAD user group authorization.

I've seen post: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

I'm sure this will work. But what about when trying to login with a user that has never logged in on that device yet.

The user certificate is not yet loaded into the client right? And the device can't login to windows because the device has not authenticated to ISE yet, so it doen't have a connection to internet/AAD to match the credentials to AAD.

Do we need to provision the client also with a computer certificate which can authenticate the computer with restricted access to AAD only? And configure the windows supplicant with user or computer authentication?

ahollifield · ‎03-22-2023

You are correct, but as I understand it you can still push a machine certificate and use that for authc you just can't authorize that specific transaction against Azure AD. You are also correct on the caveat with TEAP, there was a community discussion on this in the past as well. IIRC, an enhancement request was filed for this to get added in a later version.

View solution in original post

ahollifield · ‎03-22-2023

Correct, this is one of the reasons to use Machine certificates and not user certificates. Or better yet, use TEAP. Chain a machine certificate EAP-TLS authenticating just the machine then chain a user certificate EAP-TLS once the user logs in.

Your "machine authentication only" authz profile would should enough access for the PC to contact to the CA and enroll and obtain a user certificate.

nieks · ‎03-22-2023

Thanks, but in https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635 is mentioned that computer authentication is not supported when using AAD. Would combining AAD user authentication/authorization with only computer certificate authentication be possible? I'm concerned that it doesn't because there is also stated that EAP-chaining is not supported when using AAD.

"This flow has the following caveats and limitations:

Computer authentication is not possible as there is no Device credential/password concept in Azure AD
The User Principal Name (UPN) must be used in either the Certificate ‘Subject – Common Name’ or ‘Subject Alternative Name’ field
The ISE Certificate Authentication Profile (CAP) used for Authentication must be configured to use the field with the UPN for the identity
Technically, TEAP(EAP-TLS) is supported for this flow but neither Computer authentication nor EAP Chaining are supported so there is no value in using TEAP over standard EAP-TLS"

ahollifield · ‎03-22-2023

You are correct, but as I understand it you can still push a machine certificate and use that for authc you just can't authorize that specific transaction against Azure AD. You are also correct on the caveat with TEAP, there was a community discussion on this in the past as well. IIRC, an enhancement request was filed for this to get added in a later version.

nieks · ‎03-22-2023

Thanks. I think it's the best solution for now to use machine certificate when in computer state and user certificate + AAD user group for user state.

It's unfortunate that the two can't be chained together. Because I would prefer both user and machine authenticated when in user state. But I think it will come in a later version.