Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
15
Replies

Wireless NAC via Azure ISE using ON-Prem PKI

shujath-syed
Level 1
Level 1

‎12-04-2024 12:55 PM - edited ‎12-04-2024 01:05 PM

@Greg Gibbs  - Hi I looked at your article its very helpful. 

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635 

I am trying to do NAC on wireless via ISE in Azure using on-prem PKI which will enroll windows machines in Intune. I am going to use certificate connector for On-prem PKI. I read it doesn't support ISE essentials and I need ISE advantage as a minimum. Can you advise which license will be suitable - ISE Essentials, advantage or Premier. I can't see this clearly from Cisco ISE Licensing guide. 

I don't intend to use compliance based auth, I only intend to use cert-based auth. So for this do I need ISE advantage or Premier?

Labels:
0 Helpful
15 Replies 15

shujath-syed
Level 1
Level 1
In response to Greg Gibbs

‎03-11-2025 12:05 PM

My POC has worked but when I did some pilot sites on the on prem ISE I am having two issues.

1. When I uploaded and binded the server certificate (from onpre PKI)  for eap authentication. the existing eap authentication got moved here. The Win11 machines worked on the existing corp ssid but win10 didn't. I got an error saying ise is not trusting client certificate being presented. I disabled my new nac ssid policy yet the corp ssid won't work for win10 but works for win11. The Win11 are on Intune and Win10 is by AD. But I see server certificate on both win10 and win 11 in trusted and intermediate store on both the machines. Not sure how can I seamslessly implement it without causing an outage.

2. I am thinking I will rollout the machine certs to no just pilots but all win10 in the estate but this way it poses risk of multiple incidents. But I believe regardless if its win10 or win11 if its issued with a new machine cert from PKI/cert connector the machines will continue to connect on the existing corp ssid regardless if it works on new nac enalbed ssid or not.

 

3. a quick question on the ISE policy - I am placing the new nac ssid at the top in the policy table using nas id in the wlc and also in ise policy along with radius wireless 802.1x to make sure existing corp ssid traffic doesn't hit this policy and isn't affected is this right approach?

0 Helpful
Customers Also Viewed These Support Documents