Solved: ISE 3.2 Azure AD - Intune authentication/authorization certificates

Carlos T · ‎11-22-2023

Hi,

By reading many times this article would like to clarify the following on a Cloud only environment (Azure AD and Intune, NO ADCS and NO traditional AD):

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune - Page 2 - Cisco Community

Authentication Questions:

1. For dot1x authentication with Entra ID (Azure AD) using REST, only user authentication is possible, and not computer authentication? There is no need for a certificate as only the user credentials (Azure AD credentials) are needed every time the user is connected to the network? So No need to deploy/push a certificate for authentication to succeed?

2. For dot1x authentication with Entra ID (Azure AD) using EAP-TLS, do we need to deploy a certificate for the user? and a separate certificate for the device? If we don't have ADCS, is there any method to deploy the user and device certificate? I see a device certificate is automatically sent by Intune to the registered devices (device cert signed by “Microsoft Intune MDM Device CA”), but what about a user certificate?

3. Can the Intune deployed certificate signed by “Microsoft Intune MDM Device CA” be used for authentication? I see it is only referenced in the authorization part on the document, but not for authentication. And as I believe is a device certificate it can be used only for device authentication but not user authentication?

Authorization

Finally for authorization, will be just ISE query to intune if the device is compliant or not, and for that is it correct that it will use the device certificate (the one that is automatically sent by Intune to the registered devices, device cert signed by “Microsoft Intune MDM Device CA”) ?

So for authentication and authorization it uses the same certificate? or uses different certificates? user certificate for authentication? and device certificate for authorization?

Thanks

Greg Gibbs · ‎11-22-2023

1. For dot1x authentication with Entra ID (Azure AD) using REST, only user authentication is possible, and not computer authentication? There is no need for a certificate as only the user credentials (Azure AD credentials) are needed every time the user is connected to the network? So No need to deploy/push a certificate for authentication to succeed?

As discussed in the referenced document, there is no way to authenticate a 'Device' against Entra ID.
For the EAP-TTLS(PAP) use case, no certificate is required. It requires ROPC configured as per the Configure ISE 3.0 REST ID with Azure Active Directory guide. This use case is also limited to max 50 authentications per second as per the Performance and Scalability Guide for Cisco ISE
As there is no way for ISE to learn the GUID, it is not possible to use Intune compliance as an authorization condition for this use case.

2. For dot1x authentication with Entra ID (Azure AD) using EAP-TLS, do we need to deploy a certificate for the user? and a separate certificate for the device? If we don't have ADCS, is there any method to deploy the user and device certificate? I see a device certificate is automatically sent by Intune to the registered devices (device cert signed by “Microsoft Intune MDM Device CA”), but what about a user certificate?

Yes, you must have a user certificate for EAP-TLS You would need a PKI solution that is capable of integrating with Intune to enrol a computer and/or user certificate on behalf of the endpoint. The certificate must also have the GUID inserted for ISE to perform a compliance check against Intune.

Intune does not enrol a User certificate that is suitable for dot1x User authentication or Intune compliance check by ISE.

3. Can the Intune deployed certificate signed by “Microsoft Intune MDM Device CA” be used for authentication? I see it is only referenced in the authorization part on the document, but not for authentication. And as I believe is a device certificate it can be used only for device authentication but not user authentication?

This question was answered in this duplicate post - https://community.cisco.com/t5/network-access-control/ise-3-2-dot1x-authentication-with-intune-issued-certificates/td-p/4964739

The referenced document discusses how Windows presents the Computer cert in the Computer state and the User cert in the User state. ISE performs authorization based on the certificate values presented by the client in the relevant state.

View solution in original post

Greg Gibbs · ‎11-22-2023

1. For dot1x authentication with Entra ID (Azure AD) using REST, only user authentication is possible, and not computer authentication? There is no need for a certificate as only the user credentials (Azure AD credentials) are needed every time the user is connected to the network? So No need to deploy/push a certificate for authentication to succeed?

As discussed in the referenced document, there is no way to authenticate a 'Device' against Entra ID.
For the EAP-TTLS(PAP) use case, no certificate is required. It requires ROPC configured as per the Configure ISE 3.0 REST ID with Azure Active Directory guide. This use case is also limited to max 50 authentications per second as per the Performance and Scalability Guide for Cisco ISE
As there is no way for ISE to learn the GUID, it is not possible to use Intune compliance as an authorization condition for this use case.

2. For dot1x authentication with Entra ID (Azure AD) using EAP-TLS, do we need to deploy a certificate for the user? and a separate certificate for the device? If we don't have ADCS, is there any method to deploy the user and device certificate? I see a device certificate is automatically sent by Intune to the registered devices (device cert signed by “Microsoft Intune MDM Device CA”), but what about a user certificate?

Yes, you must have a user certificate for EAP-TLS You would need a PKI solution that is capable of integrating with Intune to enrol a computer and/or user certificate on behalf of the endpoint. The certificate must also have the GUID inserted for ISE to perform a compliance check against Intune.

Intune does not enrol a User certificate that is suitable for dot1x User authentication or Intune compliance check by ISE.

3. Can the Intune deployed certificate signed by “Microsoft Intune MDM Device CA” be used for authentication? I see it is only referenced in the authorization part on the document, but not for authentication. And as I believe is a device certificate it can be used only for device authentication but not user authentication?

This question was answered in this duplicate post - https://community.cisco.com/t5/network-access-control/ise-3-2-dot1x-authentication-with-intune-issued-certificates/td-p/4964739

The referenced document discusses how Windows presents the Computer cert in the Computer state and the User cert in the User state. ISE performs authorization based on the certificate values presented by the client in the relevant state.

carrols1 · ‎05-19-2024

Hi,
I also have the same question about the user certificate of Azure Entra ID users. According to this configuration guide https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html I tried with ISE3.2 patch 5. But authentication was not successful. Authentication using EAP-TLS process how that user certificate deploys for each user ? Do we have to deploy user certificate for each user, or it automatically done from cisco ISE.?
User certificate:

Greg Gibbs · ‎05-20-2024

I'm not sure I understand the question. You mention that Authentication was not successful, but you only shared a screenshot of your Authorization policy. What is the exact problem, what does the relevant policy look like, and what are you seeing the detailed logs?

As stated in the documents, ISE authentication is only performed based on a valid and trusted certificate. With EAP-TLS, ISE needs to trust the client certificate, and the client needs to trust the ISE EAP certificate so you need to ensure both the client and ISE have the necessary Root/Intermediate CA certificates in their relevant trust stores.

The certificate enrolment on the client is done by Intune. Each user should have a unique certificate and ISE is not involved in the enrolment process.

shujath-syed · ‎12-02-2024

I have two questions:

1. If I use on-prem PKI will that have to be called from Intune as certificate connector?

2. Can I still continue without PxGrid on ISE if I want to use on-prem PKI for NAC via azure ise?

Greg Gibbs · ‎12-02-2024

1. If you intend to use the MDM integration for ISE to check compliance against Intune, then Intune must be integrated with your PKI so the GUID can be inserted in the certificate.

2. pxGrid has no specific relation to either the PKI or authorization against Entra ID

shujath-syed · ‎12-03-2024

1. Is that possible without ISE premier license? I thought for compliance check we need ISE premier? I have essentials license, do I need to upgrade to advantage or premier?

and if the certificate connector in Intune integrates with Jamf Pro (to support mac-os) in above scenario?

Greg Gibbs · ‎12-03-2024

Yes, the MDM integration features require the Premier licensing. See the ISE Licensing Guide for more information.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html

The Intune Certificate Connector provides integration with your PKI, not with another MDM (Jamf Pro, in this case).

This conversation has strayed far past the original topic of discussion. For any new queries, please submit a new question on the Community.