Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1490
Views
5
Helpful
5
Replies

ISE 2.4 Dot1x Cerificate

Go to solution
yurii.chornyi
Level 1
Level 1

‎04-10-2019 12:38 AM

Hello to everyone! 

I'm testing ISE 2.4 for future deployment. Here are 2 main goals:

1. Full integration for dot1x with EAP-TLS.

2. Client posturement and integration with MS Intune.

I'm stuck with first point though. ISE uses Azure ADDS as identity store. We don't have classic on-prem AD. Authentication itself works fine. Certificates are generated over Certificate Provisioning portal. 

But here is the problem. Since all clients are connected to MS Intune they got default certificate which is stored in Personal user certificates. When I install certificate which is generated over portal it is being put into same directory and has same CN (user@mydomain.com). So 2 certificates with same CN user@mydomain.com are placed in same folder. Hereby when user clicks "use certificate for auth" then wrong certificate is being used by Windows (default from Intune).

Is it possible to change somehow order for certificates or there might be another solution? Could Client Provisioning with Native Supplicant configuration solve the issue?  

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-10-2019 05:25 AM

So I know there is a way using the AnyConnect NAM module as your supplicant to configure profiles with certificate mapping based on criteria such as issuer or subject fields. For the native supplicant you should be able use GPOs to configure your certificate selection. Under Smart Card or other Certificate Properties 'when connecting' pane, click advanced. You should be able configure certificate selection based on a certificate issuer. Or you can attempt to uncheck the 'use simple certificate selection' in hopes that the end user will be prompted to select which cert. HTH!

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to yurii.chornyi

‎04-10-2019 05:53 AM

Please open a separate discussion on what exactly this intune query is

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-10-2019 05:25 AM

So I know there is a way using the AnyConnect NAM module as your supplicant to configure profiles with certificate mapping based on criteria such as issuer or subject fields. For the native supplicant you should be able use GPOs to configure your certificate selection. Under Smart Card or other Certificate Properties 'when connecting' pane, click advanced. You should be able configure certificate selection based on a certificate issuer. Or you can attempt to uncheck the 'use simple certificate selection' in hopes that the end user will be prompted to select which cert. HTH!

Go to solution
yurii.chornyi
Level 1
Level 1
In response to Mike.Cifelli

‎04-10-2019 05:47 AM

Yes, Thank you!

I've chosen only one Certificate issues and it works fine.

Another question. Is anybody knows how to do some generate certificates on ISE automatically? Might be in some collaboration with intune...

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to yurii.chornyi

‎04-10-2019 05:53 AM

Please open a separate discussion on what exactly this intune query is
0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1

‎07-29-2019 04:59 AM

Hello,

I am reading your post and just wonder how did you managaged to integrate Azure ADDS as identity store in ISE ?

Best regards,

Piotr

 

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1

‎07-29-2019 05:00 AM

Hi,

 

I am reading your post I wonder how did you managed to integrate Azure ADDS as identity store in ISE ?

 

Best regards,

 

Piotr

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents