Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1013
Views
2
Helpful
5
Replies

ISE GUID

Go to solution
Moudar
VIP
VIP

‎09-27-2023 02:15 AM

Hi,

How can I use the attribute GUID in a condition, I could not find it to choose it!

The idea is to be able to authenticate devices with a certificate that can not be with AD. The certificate will contain the GUID but how to use GUID in ISE?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎09-27-2023 02:48 AM

 

 - Review this document : https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635
      Look for GUID with find ; some paragraphs may provide hints . 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
VIP
VIP

‎09-27-2023 02:48 AM

 

 - Review this document : https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635
      Look for GUID with find ; some paragraphs may provide hints . 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Moudar
VIP
VIP
In response to marce1000

‎09-27-2023 03:14 AM

Still confused about how to use the GUID in a policy, does ISE get it when it does a MDM Compliance check?

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎09-27-2023 09:35 AM

The GUID is usually used for posture/MDM scenarios. The GUID (Globally Unique IDentifier) is only good for one device. I don't know why you would want to have GUID-specific policies - this does not scale.

You then mention authenticating devices with certificates. Certificates have an entirely different set of attributes for use in authorization. You typically authorize by matching on certificate attributes, not an exact GUID.

image.png

thomas_0-1695832521489.gif

 

Go to solution
Moudar
VIP
VIP
In response to thomas

‎09-27-2023 11:10 PM

It is all about MDM (Azure Intune)

Microsoft will deprecate the Intune Network Access Control (NAC) service API on December 31, 2023. This API supports MAC address and UDID-based queries. Once deprecated, all queries from ISE to Intune will need to utilize the Microsoft Compliance Retrieval API. Microsoft's Compliance Retrieval API supports Global Unique Identifier (GUID) as the unique identifier and, as of July 31, 2023, also supports MAC address-based queries.

The idea is to use SCEP and NDES server on devices that can not join the AD.

Enabling this in ISE:

GUID-ISE.JPG

The question is how a MDM device policy will look like?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Moudar

‎09-28-2023 08:19 AM

Why not to set your policies to look at the certificate issuer name, expiry, and the issuer finger print? that way you will only allow the sessions matching those conditions without going down the GUID route. From ISE perspective you associate a new CAP without connecting it to the AD. That's what I usually do for InTune devices authentication.

Customers Also Viewed These Support Documents