Is it possible to do 802.1x Authentication for Entra ID Joined Machine

MSJ1 · ‎08-28-2025

Is it possible to do 802.1x Authentication for Entra ID Joined Machine ?

My Entra Joined machines are not domain joined so my understanding a Cert cannot be assigned for an Entra ID Joined Machine.

So how do I do 802.1x Authentication for Entra ID Joined Machine ?

David Ruess · ‎08-28-2025

Certs might be able to be manually installed on the device to authenticate against ISE. I believe it will require extra configuration on the ISE server to allow devices wit the installed certificate. As long as ISE is reachable from the device.

-David

Arne Bier · ‎08-28-2025

Any endpoint that has an 802.1X supplicant on it (Domain Joined Windows PC, Entra Joined Windows PC, iPhone, etc.) can be authenticated against a RADIUS server such as ISE. The EAP-TLS negotiation starts off by RADIUS server providing its EAP certificate - and the client should trust that but it's optional. The RADIUS server MUST validate the trust of the endpoint's cert by having the client cert's CA chain installed - so ... if Entra joined PC has a 802.1X cert on it (either manually installed of via Intune/MS magic) then the Root CA and Issuing CA(s) involved in the creation of those certs, must be installed in ISE, to allow ISE to trust the client certs.

That's authentication.

if you want to check whether that client cert is a member of some Entra ID Group, then you need an ISE version that has an ROPC link to Entra to query those groups. There's a lot written about this type of authentication with Entra ID by Greg Gibbs.

MSJ1 · ‎09-02-2025

@Arne Bier Yes I have gone through the steps but if you check his doc from below section of his document and specially bold marked item is a security concern.

Entra Joined Device and Entra User with TEAP(EAP-TLS) and EAP Chaining

As with the use cases described above, it is important to understand that ISE is not capable of performing Authentication against Entra ID for either the Device or User. The Authentication in this case is only based on the client presenting a valid User and Device certificate that is trusted by ISE. The User credential provided within the certificate is not checked against any Identity Store, which could raise security concerns with some organizations.

MHM Cisco World · ‎08-28-2025

No you can not

Entra ID use only for user cert not machine cert.

That what I know

MHM

MSJ1 · ‎09-02-2025

Hi Greg,

@Greg Gibbs

Refer to below documentation specially User Credential Part. I had 802.1x Auth for AD Joined Machines. I do not remember User Credential Check was an option I manually set up when I Integrated 802.1x with AD Based Laptops. Do you think there should be an option to check the User Credential or it does it automatically as part of its working process ?

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-1884295217

""" Entra Joined Device and Entra User with TEAP(EAP-TLS) and EAP Chaining

As with the use cases described above, it is important to understand that ISE is not capable of performing Authentication against Entra ID for either the Device or User. The Authentication in this case is only based on the client presenting a valid User and Device certificate that is trusted by ISE. The User credential provided within the certificate is not checked against any Identity Store, which could raise security concerns with some organizations. """

Greg Gibbs · ‎09-02-2025

With traditional AD, if the AD Join point is selected as the Identity Store (Use) or in the Identity Source Sequence used in the Authentication Policy, ISE will check that the User/Device object exists in AD as part of the Authentication process.

There is no equivalent operation when using Entra ID.