08-22-2024 05:14 AM
My university has its JAMF instance in the JAMF Cloud
We are using Cisco ISE with the Windows fleet for authentication.
We have connected ISE and JAMF together.
We have Azure/Entra user accounts across our university.
We cannot use MAC Addresses to authenticate macOS devices.
We want to use GUID authentication but I can't find any information I can use to build a configuration profile in JAMF Pro that will supply a certificate containing the GUID onto the Mac client that ISE can interrogate for the purposes of authentication.
AD CS is mentioned in documents I have read, we have never had this.
Is it necessary in a post on prem Active Directory world?
Can anyone help point me to some information on how to achieve this.
08-22-2024 04:03 PM
Authentication/Authorization and MDM Compliance are two separate concepts in ISE. We cannot currently Authenticate a User or Device against Entra ID for certificate-based auth (EAP-TLS) for reasons described in this blog.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635
What you could do is the following:
For items 1 and 3 above, see Integrating Jamf Pro with Cisco ISE 3.1.
For item 2 above, the Entra ID App Registration and ISE REST ID configuration would be similar to the following example.
Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory
This use case requires a CA of some sort to sign the User certificates, which is why you've seen references to AD CS. If you're using the internal Jamf Pro CA, then it performs that function itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide