cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
268
Views
0
Helpful
1
Replies

JAMF Pro, Cisco ISE, GUID Certificates

leo-osullivan
Level 1
Level 1

My university has its JAMF instance in the JAMF Cloud

We are using Cisco ISE with the Windows fleet for authentication.

We have connected ISE and JAMF together.
We have Azure/Entra user accounts across our university.

We cannot use MAC Addresses to authenticate macOS devices.

We want to use GUID authentication but I can't find any information I can use to build a configuration profile in JAMF Pro that will supply a certificate containing the GUID onto the Mac client that ISE can interrogate for the purposes of authentication.

AD CS is mentioned in documents I have read, we have never had this.
Is it necessary in a post on prem Active Directory world?

Can anyone help point me to some information on how to achieve this.

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

Authentication/Authorization and MDM Compliance are two separate concepts in ISE. We cannot currently Authenticate a User or Device against Entra ID for certificate-based auth (EAP-TLS) for reasons described in this blog.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

What you could do is the following:

  1. Enroll your Jamf Pro MDM managed devices with a Wifi profile and User certificate that includes the UPN and GUID.
  2. Authenticate the User based on certificate trust on ISE and Authorize the session based on Entra ID User group/attribute using the REST ID function (using the UPN as identity in ISE).
  3. Include an Authorization condition based on MDM Registration/Compliance status retrieved from the MDM integration with Jamf Pro.

For items 1 and 3 above, see Integrating Jamf Pro with Cisco ISE 3.1.

For item 2 above, the Entra ID App Registration and ISE REST ID configuration would be similar to the following example.
Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory 

This use case requires a CA of some sort to sign the User certificates, which is why you've seen references to AD CS. If you're using the internal Jamf Pro CA, then it performs that function itself.