ISE EAP-TLS with Hybrid-Joined devices

Max Lecomte · ‎10-16-2025

Hello!

I am currently working on a proof of concept for EAP (or PEAP)-TLS Wi-Fi authentication using the following elements:

All devices are Windows 11 machines that are hybrid-joined.
Both User & Devices certificates are successfully issued via Intune, using a SCEP profile.
Devices would have to use ISE Essential licenses only for cost efficiency.

I read that using an NDES server, it is recommended for the certificate template not to publish associated certificates in AD if you have non-windows devices to support. We deliver SCEP certificates to Android phones and those are able to connect successfully using a small set of ISE Premier licenses (MDM Compliance checks & device profiling).

I was wondering if AD can still be leveraged to validate machine or user identity if the certificates are not published there? I do not see how ISE can handle this by only having a certificate to start the autC & AuthZ process but no identity stores to check against?

Anyone had success implementing this with fairly similar conditions?

Arne Bier · ‎10-16-2025

You get the identity from the certificate Subject or SAN (depending what your ISE cert profile is setup to do) - the decision to lookup that identity somewhere external is optional - you can decide to not perform an auth lookup.

During Authorization, you can perform checks on an AD join point, or LDAP binding - that would be the place to check for membership against an AD Group Membership - LDAP tends to be more efficient and more secure if you have a cut-down replica of your AD Groups in an LDAP directory to search against. But AD is the lowest hanging fruit for such lookups.

Max Lecomte · ‎10-17-2025

Sounds good, it does seem to match what I tried earlier & the results I got from it. I will do more tests later with the AuthZ part. Since we already have AD join working, I will reuse existing condition templates.