cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
0
Helpful
5
Replies
Beginner

ISE with Azure/Intune - external identity source without BYOD proccess

Hello,


We are going to use Microsoft Intune as MDM and we would like to utilize EAP-TLS for devices. The provisioning has to take place without BYOD onboarding proccess in ISE as we are going to give devices to other people to do provisioning and then they will send them to us.


As we know EAP-TLS requires identity store like AD to compare CN or SAN etc in a certificate, in order to check if presented values match. In case of Windows machines we use AD without any MDM.

 

Azure/Intune keeps many values like serial number, mac address etc, so since we do not store those values in on-premise AD it would be nice to grab them from Azure. I just wonder if it is possible to connect ISE to external identity group in Azure/Intune and use certain values like mac address, serial number etc....


I have tryed to configure Saml ID providers and I can pull all groups from Azure/Intune but I can not use SAML ID  in Identity Source Sequences.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE with Azure/Intune - external identity source without BYOD proccess

ISE is not supporting to use SAML IdP to authorize EAP-TLS.

SAML applies to Web applications or interfaces only. At present, ISE supports it for Web-based authentications of end-user facing portals, such as ISE guest portals. When using SAML IdP, it is exclusive; i.e. either SAML IdP only or no SAML IdP. The workaround is to use two web portals.

5 REPLIES 5
Cisco Employee

Re: ISE with Azure/Intune - external identity source without BYOD proccess

ISE is not supporting to use SAML IdP to authorize EAP-TLS.

SAML applies to Web applications or interfaces only. At present, ISE supports it for Web-based authentications of end-user facing portals, such as ISE guest portals. When using SAML IdP, it is exclusive; i.e. either SAML IdP only or no SAML IdP. The workaround is to use two web portals.

Beginner

Re: ISE with Azure/Intune - external identity source without BYOD proccess

Thanks for reply :)

 

Is there any way to support EAP-TLS authentication with device/user data which is stored i AZURE ?

 

best regards,

Piotr

Highlighted
Contributor

Re: ISE with Azure/Intune - external identity source without BYOD proccess

Actually it is not mandatory to use an identity store with EAP-TLS. You can choose not to check any certificate attributes apart from validity and issuer although I assume you do not prefer that any valid (not revoked) certificate is granted access.

Beginner

Re: ISE with Azure/Intune - external identity source without BYOD proccess

Thanks Peter for the tips :)

 

How can I set up rules to bypass identity store check and check only an issuer and validity ?

 

But If I would like use Azure as Identity Store do you know how to do it. Do I have to use API. If so is there any design guide for that ?

Cisco Employee

Re: ISE with Azure/Intune - external identity source without BYOD proccess

In the certificate authentication profile used to authenticate your endpoints, ensure "Identity Store" is set to "[not applicable]" if no need to resolve the identity ambiguity or to perform binary comparison of the certificates. To check the issuer, then we may add an authorization condition on the CERTIFICATE.Issuer. To check the validation, add a condition on CERTIFICATE.Days to Expiry or the like.

First of all, in order to check certificates in AD/LDAP, the endpoint certificates need stored in the user/computer objects in the AD/LDAP. At present, in order to use Azure AD as an external ID store in ISE, other than as a SAML IdP, we need Azure AD Domain Services enabled in Azure AD directory. For hybrid organizations using Azure AD Connect to synchronize with the on-prem directory, we should be able to integrate ISE with the on-prem directory. Otherwise, you may try Configure secure LDAP (LDAPS) in an Azure AD Domain Services domain.