Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2893
Views
10
Helpful
5
Replies

Which Certificate (service) is used to integrate with Intune ? Is EKU required both for Server and Client auth?

Go to solution
Nate Zhang
Cisco Employee
Cisco Employee

‎02-26-2019 08:23 PM

Hi Experts,

 

I'm following the guide to integrating ISE with Intune. 

 

In the step of 'Export ISE System Certificate', I got stuck since my customer uses all CA signed certificates separated by Admin, Portal, EAP-Auth, pxgrid service.

 

Which one shall I export in this case? 

 

Additionally, if it is the one EAP-Auth cert I should export, is it needed to have EKU both client authentication (1.3.6.5.5.7.3.2) and server authentication (1.3.6.1.5.5.7.3.1) in the certificate? 

 

Currently, we only have Server auth for the purpose of client 802.1x EAP-TLS.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-26-2019 08:36 PM

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

View solution in original post

5 Replies 5

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-26-2019 08:36 PM

Hi,

The certificate is the Admin one because Intune and ISE communicates using
APIs (not EAP).

Regarding the EKU, it has to be client/server authentication for mutual
authentication between Intune and ISE

Go to solution
Nate Zhang
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎02-26-2019 10:11 PM

Hi Mohammed,

Thank you for your response. Is the EKU mandatory?
I'm referring to doc: https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897
It is said only pxgrid cert requires both server/client auth EKU.

If I have to revise my admin cert with both EKU, I think I have to deregister my cluster (8 nodes) and register again with new cert, am I right?
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Nate Zhang

‎02-26-2019 11:31 PM

I replied to your private message :)
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nate Zhang

‎02-28-2019 11:56 AM

What Mohammed al Baqari said appears correct. It appears Microsoft Intune using the ISE admin certificate(s) to validate the requests and, hence, the client auth on them.

0 Helpful

Go to solution
Nate Zhang
Cisco Employee
Cisco Employee
In response to hslai

‎02-28-2019 06:12 PM

Thank you for your verification.
0 Helpful
Customers Also Viewed These Support Documents