Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
2
Helpful
1
Replies

Multiple ISE integration with MS Intune

Go to solution
Phil Evans
Level 1
Level 1

‎03-28-2023 11:19 PM

Hi

We have an Azure and Intune tenant where we have multiple subsidiaries with their own Cisco ISE implementations that would (ideally) require the CISCO ISE <> Intune Integration.  Can anyone from the CISCO community tell me if this is a supported scenario?  Can multiple app registrations be created and the associated certificate instances be created so that each organisation can operate independently with their ISE implementations (with a common Azure tenant) ?

Would greatly appreciate thoughts !

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-29-2023 02:49 PM

We might need to understand a bit more detail about what you are trying to achieve.

  • Why would you need separate App Registrations? Are you somehow restricting each App Registration to a specific domain?
  • Are you only concerned about performing MDM lookups using the Intune device GUID and you're still performing authentication of the endpoints/users against traditional AD?
  • What version of ISE are you using?

In my Azure/Intune testing, I have used separate App Registrations (single tenant) in the same Azure tenant for separate ISE instances (for example ISE 3.1 vs 3.2 instances). Both instances are able to perform MDM lookups using the Intune device GUID for the user or computer certificate presented for the EAP-TLS session. This works for both Hybrid Azure Ad Joined as well as Azure AD Joined devices as per the scenarios described in the following document.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

 

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-29-2023 02:49 PM

We might need to understand a bit more detail about what you are trying to achieve.

  • Why would you need separate App Registrations? Are you somehow restricting each App Registration to a specific domain?
  • Are you only concerned about performing MDM lookups using the Intune device GUID and you're still performing authentication of the endpoints/users against traditional AD?
  • What version of ISE are you using?

In my Azure/Intune testing, I have used separate App Registrations (single tenant) in the same Azure tenant for separate ISE instances (for example ISE 3.1 vs 3.2 instances). Both instances are able to perform MDM lookups using the Intune device GUID for the user or computer certificate presented for the EAP-TLS session. This works for both Hybrid Azure Ad Joined as well as Azure AD Joined devices as per the scenarios described in the following document.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

 

Customers Also Viewed These Support Documents