cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2895
Views
10
Helpful
5
Replies

Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Nate Zhang
Cisco Employee
Cisco Employee

Hi Experts,

 

I'm following the guide to integrating ISE with Intune. 

 

In the step of 'Export ISE System Certificate', I got stuck since my customer uses all CA signed certificates separated by Admin, Portal, EAP-Auth, pxgrid service.

 

Which one shall I export in this case? 

 

Additionally, if it is the one EAP-Auth cert I should export, is it needed to have EKU both client authentication (1.3.6.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) in the certificate? 

 

Currently, we only have Server auth for the purpose of client 802.1x EAP-TLS.

 

 

1 Accepted Solution

Accepted Solutions

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

View solution in original post

5 Replies 5

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

Hi Mohammed,

Thank you for your response. Is the EKU mandatory?
I'm referring to doc: https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897
It is said only pxgrid cert requires both server/client auth EKU.

If I have to revise my admin cert with both EKU, I think I have to deregister my cluster (8 nodes) and register again with new cert, am I right?

I replied to your private message :)

What Mohammed al Baqari said appears correct. It appears Microsoft Intune using the ISE admin certificate(s) to validate the requests and, hence, the client auth on them.

Thank you for your verification.