Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
0
Helpful
3
Replies

Question regarding Integrate Microsoft Intune with ISE 2.4

Go to solution
antonioyan99
Level 1
Level 1

‎12-10-2019 01:31 PM

Hi Cisco Guru,

 

I am working on an integration for ISE to work with Microsoft Intune (MDM),  the client was able to configure MDM in ISE, however ,  we could not find where to add this MDM server into authentication policy (eg, the option to authenticate against AD or Internal Endpoints etc.),  did we miss something?

 

In authorization policy,  we were able to identify MDM attributes to be used in the rules.

 

appreciate any help here.

 

thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to antonioyan99

‎12-12-2019 03:26 PM

If the 802.1X authentication uses EAP-TLS (MDM enrols clients with profile and cert) then ISE can just validate the cert using its Trust Store. In theory you could also pick out the username from the cert and then perform a secure LDAP lookup against AzureAD (if those MDM enrolled user identities exist there).

If the 802.1X authentication uses EAP-PEAP then you can use ISE local User lookups (internal database) or AD lookups. But you said these identities don't exist in AD so that would mean you need to duplicate all those either in an AD somewhere, or duplicate/create them all in ISE internally. Sounds messy.

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-11-2019 08:43 PM

Microsoft InTune is not an authentication source. You might be confusing it with AzureAD. You cannot authenticate against InTune. You also cannot authenticate against AzureAD. But you could perform an LDAP lookup against AzureAD for user Group Membership etc. But there is no alternative to an on-prem AD Server.

0 Helpful

Go to solution
antonioyan99
Level 1
Level 1
In response to Arne Bier

‎12-11-2019 08:48 PM

Thank you for the clarification, can you please suggest how to perform the authentication?

Here is the scenario:

An endpoint which has registered in MDM only( not local AD) connects to the SSID using dot1x,  the WLC send authentication request to ISE,  how does ISE perform the authentication? Where can it send the authentication request?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to antonioyan99

‎12-12-2019 03:26 PM

If the 802.1X authentication uses EAP-TLS (MDM enrols clients with profile and cert) then ISE can just validate the cert using its Trust Store. In theory you could also pick out the username from the cert and then perform a secure LDAP lookup against AzureAD (if those MDM enrolled user identities exist there).

If the 802.1X authentication uses EAP-PEAP then you can use ISE local User lookups (internal database) or AD lookups. But you said these identities don't exist in AD so that would mean you need to duplicate all those either in an AD somewhere, or duplicate/create them all in ISE internally. Sounds messy.

 

 

0 Helpful
Customers Also Viewed These Support Documents