Ok thank you very much

Lastly can I ask in the above context what best can I do for mac-os which are enrolled in Jamf pro (not many).

The same approach would generally be taken. Integrate Jamf Pro with your PKI, enroll certificates on the MacOS endpoints, and authenticate them via EAP-TLS.

Hi - I am doing a POC for this using on-prem PKI. My ISE is stood up in azure now. Can you advise what are the key elements that I should be configuring? if there is any article you know on this please share.

Hi - I just wanted to check Since I am not doing and ISE integration with Intune/Entra ID and I can't use GUID in ISE polices to match for auth as there are thousands of machines. What do you advise to match against - something like issuer CN would make sense? This way anything presented by the CA server to the machines will be authenticated by ISE. I just need to define CA server in ISE's external CA settings. You think its workable?

If you are using EAP-TLS and only authenticating and authorising the session based on the certificate (not performing checks against any external identity store), then you would be limited to the information provided to ISE in the certificate.

Ideally, you would want to use matching conditions in the AuthC/AuthZ policies that match on unique attributes in the certificate. These could include the Issuer CN, Subject OU, etc, and would depend on how you have defined your certificate templates and profiles.

Yes that's exactly what I am looking to do because I only wish to do NAC policies using cert fields or issuer etc as I have ISE essentials (can't upgrade to higher license due to costs) so I don't think I have more options available, because if I want to do any checks against external Identity store I will need higher license than ISE, right?. Do you believe this is still a workable basic level NAC? please see your first comment in this post which is exactly what I am doing.

Performing checks against external Identity Stores (AD, Entra ID User AuthZ, etc) are part of the 'AAA and 802.1X' use case covered by the Essentials licenses.

Many Thanks, it works when I allow EAP-TLS in AuthC/Z policies and enter CN=GUID in the conditions. But this is when I enter a GUID manually in the policy under conditions of AuthC/Z. I also see  the logs "Found Endpoint in Internal Endpoints IDStore" against that particular CN/GUID of single machine. But if I want to check for all thousands of machines, what can I do. I did refer to your article Cisco ISE with Microsoft Active Directory, Entra ID, and Intune but I cannot find how to check against entra with ISE essentials. Do I select issuer instead of Certificate CN? I cannot create auth profile in ext identity because entra doesn have domain controller. Unless I enter CN/GUID manually in authC/Z policies of every single machine I don't know how I can check against ID store Entra. Any Idea?

The UPN is used to check Identity against Entra ID. The GUID is used to check Registration/Compliance against Intune.
These are two separate functions that use different API calls.

As clearly stated in the blog that you referenced:
"As the Intune Registration and/or Compliance lookups are functions of the MDM Compliance feature in ISE, any sessions using these conditions will require a Premier license as per the Cisco ISE Licensing Guide."

I am using 'AAA and 802.1X' use case covered by the Essentials licenses. Can I use UPN in this case?

because I am receiving machine certificate and it has GUID/Intune device ID in the subject field of the machine certificate.  I am using on-prem pki which is integrated with certificate connector. Do I need to tell On-prem PKI to issue UPN in the subject field of the machine certificate instead of GUID?

or a UPN can only be issued to a user certificate and not device certificate? because I am using device certificate, what can I match now?

I am using a machine certificate and ISE is only validating based on the certificate that is presented to it. I am using issuer CN. its all working fine, but its also authenticating REVOKED machine certificates. I checked the comms between ISE and OCSP server is not working. You think  fixing this comms would block revoked cert and allow valid certs.

Also, do we need to enter OCSP public or private URL in the OCSP profile configured in ISE. (I have checked in UNKNOWN and Unreachable btw)

Note: because we are using machine certs we are not checking against external identity (with entra in our case). I hope this is not linked with above scenario?

If you have configured CRL and/or OCSP settings in your Root or Intermediate trusted certificates, and ISE can reach those services, it will perform a revocation check during the Authentication process.

Public vs. Private URL is entirely dependent on your environment and how ISE would communicate with that service. These comms would also be impacted by any proxy configured, so you may need to add those FQDNs to the 'bypass' list in the ISE proxy settings.