cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2199
Views
10
Helpful
5
Replies
Nate Zhang
Cisco Employee

Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Hi Experts,

 

I'm following the guide to integrating ISE with Intune. 

 

In the step of 'Export ISE System Certificate', I got stuck since my customer uses all CA signed certificates separated by Admin, Portal, EAP-Auth, pxgrid service.

 

Which one shall I export in this case? 

 

Additionally, if it is the one EAP-Auth cert I should export, is it needed to have EKU both client authentication (1.3.6.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) in the certificate? 

 

Currently, we only have Server auth for the purpose of client 802.1x EAP-TLS.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Mohammed al Baqari
VIP Advisor

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

View solution in original post

5 REPLIES 5
Mohammed al Baqari
VIP Advisor

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

Hi Mohammed,

Thank you for your response. Is the EKU mandatory?
I'm referring to doc: https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897
It is said only pxgrid cert requires both server/client auth EKU.

If I have to revise my admin cert with both EKU, I think I have to deregister my cluster (8 nodes) and register again with new cert, am I right?

I replied to your private message :)

What Mohammed al Baqari said appears correct. It appears Microsoft Intune using the ISE admin certificate(s) to validate the requests and, hence, the client auth on them.

Thank you for your verification.
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube