Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2652
Views
5
Helpful
5
Replies

ISE with Azure/Intune - external identity source without BYOD proccess

Go to solution
piotrPaszk
Level 1
Level 1

‎07-29-2019 05:58 AM - edited ‎07-29-2019 06:19 AM

Hello,


We are going to use Microsoft Intune as MDM and we would like to utilize EAP-TLS for devices. The provisioning has to take place without BYOD onboarding proccess in ISE as we are going to give devices to other people to do provisioning and then they will send them to us.


As we know EAP-TLS requires identity store like AD to compare CN or SAN etc in a certificate, in order to check if presented values match. In case of Windows machines we use AD without any MDM.

 

Azure/Intune keeps many values like serial number, mac address etc, so since we do not store those values in on-premise AD it would be nice to grab them from Azure. I just wonder if it is possible to connect ISE to external identity group in Azure/Intune and use certain values like mac address, serial number etc....


I have tryed to configure Saml ID providers and I can pull all groups from Azure/Intune but I can not use SAML ID  in Identity Source Sequences.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-29-2019 10:00 AM

ISE is not supporting to use SAML IdP to authorize EAP-TLS.

SAML applies to Web applications or interfaces only. At present, ISE supports it for Web-based authentications of end-user facing portals, such as ISE guest portals. When using SAML IdP, it is exclusive; i.e. either SAML IdP only or no SAML IdP. The workaround is to use two web portals.

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎08-11-2019 03:58 PM

In the certificate authentication profile used to authenticate your endpoints, ensure "Identity Store" is set to "[not applicable]" if no need to resolve the identity ambiguity or to perform binary comparison of the certificates. To check the issuer, then we may add an authorization condition on the CERTIFICATE.Issuer. To check the validation, add a condition on CERTIFICATE.Days to Expiry or the like.

First of all, in order to check certificates in AD/LDAP, the endpoint certificates need stored in the user/computer objects in the AD/LDAP. At present, in order to use Azure AD as an external ID store in ISE, other than as a SAML IdP, we need Azure AD Domain Services enabled in Azure AD directory. For hybrid organizations using Azure AD Connect to synchronize with the on-prem directory, we should be able to integrate ISE with the on-prem directory. Otherwise, you may try Configure secure LDAP (LDAPS) in an Azure AD Domain Services domain.

View solution in original post

5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-29-2019 10:00 AM

ISE is not supporting to use SAML IdP to authorize EAP-TLS.

SAML applies to Web applications or interfaces only. At present, ISE supports it for Web-based authentications of end-user facing portals, such as ISE guest portals. When using SAML IdP, it is exclusive; i.e. either SAML IdP only or no SAML IdP. The workaround is to use two web portals.

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to hslai

‎07-29-2019 11:15 PM

Thanks for reply :)

 

Is there any way to support EAP-TLS authentication with device/user data which is stored i AZURE ?

 

best regards,

Piotr

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎08-04-2019 11:57 AM

Actually it is not mandatory to use an identity store with EAP-TLS. You can choose not to check any certificate attributes apart from validity and issuer although I assume you do not prefer that any valid (not revoked) certificate is granted access.

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Peter Koltl

‎08-08-2019 01:10 PM

Thanks Peter for the tips :)

 

How can I set up rules to bypass identity store check and check only an issuer and validity ?

 

But If I would like use Azure as Identity Store do you know how to do it. Do I have to use API. If so is there any design guide for that ?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎08-11-2019 03:58 PM

In the certificate authentication profile used to authenticate your endpoints, ensure "Identity Store" is set to "[not applicable]" if no need to resolve the identity ambiguity or to perform binary comparison of the certificates. To check the issuer, then we may add an authorization condition on the CERTIFICATE.Issuer. To check the validation, add a condition on CERTIFICATE.Days to Expiry or the like.

First of all, in order to check certificates in AD/LDAP, the endpoint certificates need stored in the user/computer objects in the AD/LDAP. At present, in order to use Azure AD as an external ID store in ISE, other than as a SAML IdP, we need Azure AD Domain Services enabled in Azure AD directory. For hybrid organizations using Azure AD Connect to synchronize with the on-prem directory, we should be able to integrate ISE with the on-prem directory. Otherwise, you may try Configure secure LDAP (LDAPS) in an Azure AD Domain Services domain.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents