cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast- Catalyst 9000
216
Views
0
Helpful
3
Replies
Beginner

ISE 2.4 Dot1x Cerificate

Hello to everyone! 

I'm testing ISE 2.4 for future deployment. Here are 2 main goals:

1. Full integration for dot1x with EAP-TLS.

2. Client posturement and integration with MS Intune.

I'm stuck with first point though. ISE uses Azure ADDS as identity store. We don't have classic on-prem AD. Authentication itself works fine. Certificates are generated over Certificate Provisioning portal. 

But here is the problem. Since all clients are connected to MS Intune they got default certificate which is stored in Personal user certificates. When I install certificate which is generated over portal it is being put into same directory and has same CN (user@mydomain.com). So 2 certificates with same CN user@mydomain.com are placed in same folder. Hereby when user clicks "use certificate for auth" then wrong certificate is being used by Windows (default from Intune).

Is it possible to change somehow order for certificates or there might be another solution? Could Client Provisioning with Native Supplicant configuration solve the issue?  

2 ACCEPTED SOLUTIONS

Accepted Solutions
Enthusiast

Re: ISE 2.4 Dot1x Cerificate

So I know there is a way using the AnyConnect NAM module as your supplicant to configure profiles with certificate mapping based on criteria such as issuer or subject fields. For the native supplicant you should be able use GPOs to configure your certificate selection. Under Smart Card or other Certificate Properties 'when connecting' pane, click advanced. You should be able configure certificate selection based on a certificate issuer. Or you can attempt to uncheck the 'use simple certificate selection' in hopes that the end user will be prompted to select which cert. HTH!
Cisco Employee

Re: ISE 2.4 Dot1x Cerificate

Please open a separate discussion on what exactly this intune query is
3 REPLIES 3
Enthusiast

Re: ISE 2.4 Dot1x Cerificate

So I know there is a way using the AnyConnect NAM module as your supplicant to configure profiles with certificate mapping based on criteria such as issuer or subject fields. For the native supplicant you should be able use GPOs to configure your certificate selection. Under Smart Card or other Certificate Properties 'when connecting' pane, click advanced. You should be able configure certificate selection based on a certificate issuer. Or you can attempt to uncheck the 'use simple certificate selection' in hopes that the end user will be prompted to select which cert. HTH!
Highlighted
Beginner

Re: ISE 2.4 Dot1x Cerificate

Yes, Thank you!

I've chosen only one Certificate issues and it works fine.

Another question. Is anybody knows how to do some generate certificates on ISE automatically? Might be in some collaboration with intune...

Cisco Employee

Re: ISE 2.4 Dot1x Cerificate

Please open a separate discussion on what exactly this intune query is