Re: ISE and Entra ID with 1 certificate for multiple usecases

mverbon · ‎04-25-2024

Hi all,

I read the following URL, posted by Greg:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635
Great document with lots of detailed information!

I have an additional question about this.
Is the following scenario also possible?:
1 device certificate with the following attributes
CN=UPN username@xxxx.onmicrosoft.com
SAN URI=GUID
And place this certificate in the Computer Certificate Store, and use 802.1x Computer Authentication
Certificate profile is configured to use the CN (UPN)
I think this sceanrio is not described, also the summary does not have this scenario.
What I want to achieve with only 1 Device certificate:
Authentication via EAP-TLS in ISE, Based on 802.1x Computer Authentication
Use the SAN URI for the compliancy check in MS Intune
Use the CN for User Group retrieval and other attributes from Entra ID

Thanks in advance,
Martin

Arne Bier · ‎04-30-2024

Hi @mverbon

Isn't this more of an Azure type of question? In other words, how to use Azure to onboard Windows PC and provision certs and supplicants on Windows OS?

Greg Gibbs · ‎05-05-2024

It sounds like you are wanting to create a Computer certificate template with User attribute values (like UPN) in Intune and push that to the Computer certificate store on the managed device. You would then have the device configured for Computer auth and have ISE authorize the session based on User attributes found in the Computer cert.

I can think of multiple concerns with this scenario, the biggest being the fact that Windows Configuration Profiles for certificates in Intune have a setting for 'Device' versus 'User'. A Device certificate profile will not allow you to specify User attribute (like the UPN) values. This setting would define which certificate store the cert will be deployed to on the device, so I don't think what you want to do is possible from an Intune perspective.