Solved: ISE EAP-TLS with Hybrid-Joined devices

Max Lecomte · ‎10-16-2025

Hello!

I am currently working on a proof of concept for EAP (or PEAP)-TLS Wi-Fi authentication using the following elements:

All devices are Windows 11 machines that are hybrid-joined.
Both User & Devices certificates are successfully issued via Intune, using a SCEP profile.
Devices would have to use ISE Essential licenses only for cost efficiency.

I read that using an NDES server, it is recommended for the certificate template not to publish associated certificates in AD if you have non-windows devices to support. We deliver SCEP certificates to Android phones and those are able to connect successfully using a small set of ISE Premier licenses (MDM Compliance checks & device profiling).

I was wondering if AD can still be leveraged to validate machine or user identity if the certificates are not published there? I do not see how ISE can handle this by only having a certificate to start the autC & AuthZ process but no identity stores to check against?

Anyone had success implementing this with fairly similar conditions?

Arne Bier · ‎10-16-2025

You get the identity from the certificate Subject or SAN (depending what your ISE cert profile is setup to do) - the decision to lookup that identity somewhere external is optional - you can decide to not perform an auth lookup.

During Authorization, you can perform checks on an AD join point, or LDAP binding - that would be the place to check for membership against an AD Group Membership - LDAP tends to be more efficient and more secure if you have a cut-down replica of your AD Groups in an LDAP directory to search against. But AD is the lowest hanging fruit for such lookups.

View solution in original post

Greg Gibbs · ‎10-20-2025

You can work around that limitation by exporting the Wifi Profile in XML from a working computer and importing it into Intune. I show that example in my Autopilot blog post here:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-and-microsoft-windows-autopilot/ta-p/5256754#toc-hId-352566538

View solution in original post

Arne Bier · ‎10-16-2025

You get the identity from the certificate Subject or SAN (depending what your ISE cert profile is setup to do) - the decision to lookup that identity somewhere external is optional - you can decide to not perform an auth lookup.

During Authorization, you can perform checks on an AD join point, or LDAP binding - that would be the place to check for membership against an AD Group Membership - LDAP tends to be more efficient and more secure if you have a cut-down replica of your AD Groups in an LDAP directory to search against. But AD is the lowest hanging fruit for such lookups.

Max Lecomte · ‎10-17-2025

Sounds good, it does seem to match what I tried earlier & the results I got from it. I will do more tests later with the AuthZ part. Since we already have AD join working, I will reuse existing condition templates.

Max Lecomte · ‎10-20-2025

Without much to add in terms of configuration to the existing external authentication sources, I was able to set this lookup fairly simply. All is seamless if the device has been used by the logged in user & they have their SCEP certificates.

Now the next challenge will be to find a way to work around the EAP-TLS design until Intune officially adds TEAP configuration for EAP-Chaining. Right now we can either do machine auth only or machine + user if the latter have their certificates issued in time.

Greg Gibbs · ‎10-20-2025

You can work around that limitation by exporting the Wifi Profile in XML from a working computer and importing it into Intune. I show that example in my Autopilot blog post here:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-and-microsoft-windows-autopilot/ta-p/5256754#toc-hId-352566538