Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
12279
Views
3
Helpful
3
Comments

Cisco ISE with Microsoft Cloud PKI

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-25-2024 06:03 PM - edited ‎09-25-2024 06:21 PM

 

Introduction

As customers are moving to a cloud-first strategy, many are looking to decommission on-premise and/or non-cloud-native solutions in favour of more cloud-native and PaaS/SaaS delivered solutions. One solution that many customers are looking to replace (or avoid deploying in the first place) is Active Directory Certificate Services (ADCS).
 
Microsoft released their Cloud PKI solution to the public in early 2024 and I have had several people asking questions about using this
solution in conjunction with Cisco ISE, so I thought it would be useful to provide some guidance and examples around this. After doing some research on the solution, I used the available trial licensing to set it up in my lab and perform some testing of common 802.1x use cases with Cisco ISE.
 

What is Microsoft Cloud PKI?

Microsoft Cloud PKI is a PaaS (Platform as a Service) offering that is tightly integrated with Intune and licensed as either an add-on to an existing Intune license or included in the Intune Suite. It provides a tiered Certificate Authority (CA) function and is intended to manage the certificate lifecycle for Intune-managed devices.
 
Cloud PKI uses SCEP (Simple Certificate Enrollment Protocol) to enrol User and Device certificates on Intune-managed devices. This is similar to the SCEP enrollment provided by ADCS using NDES (Network Device Enrollment Service), but ADCS provides much greater capabilities that Cloud PKI does not (at the time of this writing). For example, ADCS provides the ability to sign Certificate Signing Requests (CSRs) from other servers, network and security devices, users, and endpoints via the Certificate Enrollment Web Service and other mechanisms. These additional capabilities are not provided by Cloud PKI at this time.
 
More information about Cloud PKI can be found at the following link.
 

Cloud PKI and Cisco ISE

In the case of Cisco ISE, this means that, while Cloud PKI is capable of enrolling certificates for Users and Devices authenticating against Cisco ISE, Cloud PKI is not capable of signing the certificates used by ISE itself (for example, the Admin and EAP functions). Those certificates would need to be signed by either an Enterprise CA (like ADCS) or another CA solution employed by the organization.
 
While there is no direct integration between Cisco ISE and Cloud PKI, there are dependencies on both sides for Users/Devices enrolled using Cloud PKI and authenticating against ISE. One such dependency is the certificate trust chain. If we consider a common use case of 802.1x with EAP-TLS, there must be mutual trust between the client (user/device) and RADIUS server (ISE).
 
This means that, in order for the EAP-TLS communication to succeed, both of the following conditions must be met:

  • The client must have the certificate trust chain (Root and all Intermediate certificates) that signed the ISE EAP certificate in their User and/or Computer trust store (depending on the use case)
  • ISE must have the certificate trust chain (Root and all Intermediate certificates) that signed the User/Device EAP certificate in its Trusted Certificates store
The only direct interaction between ISE and Cloud PKI would be ISE performing a certificate revocation check against the CRL (Certificate Revocation List) published by Cloud PKI during the Authentication stage (if configured).
 

High Level Flow Example

The following diagram illustrates a high level flow of the functions and communications involved in this example. As shown in the diagram, Intune is solely responsible for the following functions with no interaction from ISE.

  • Installing trust chains for both the client (user/device certificates from Cloud PKI) and the ISE EAP (signed by a separate CA) certificates to the relevant user/device trust store locations.
  • Enrolling the user/device certificates signed by Cloud PKI and installing them in the relevant user/device trust store locations.
  • Configuring the endpoint supplicant (Wired, Wireless) as needed for 802.1x, including the necessary Trusted CA and certificate matching settings.
 

cloud pki flow.png

 

It is important to note that 802.1x connectivity relies on the proper certificates and supplicant configuration, so those steps must be done prior to connecting to an 802.1x secured network. As both Intune and Cloud PKI are cloud-based solutions, these processes can take place from any internet connection.

 

Solution Validation Setup

The following sections provide details on the lab setup that was used as an example to validate the solution. The setup was based on the following scenario.

  • Entra Joined (not Hybrid Joined) Windows VM enrolled with Intune
  • Windows 11 Pro Version 23H2
  • Cisco ISE 3.3 patch 3
  • Wireless 802.1x using EAP-TLS with User or Computer Authentication

 

While this example uses EAP-TLS, other certificate-based authentication methods could also be used in conjunction with Cloud PKI. See the following article for currently supported use cases involving Cisco ISE, Entra ID, and Intune.

Cisco ISE with Microsoft Active Directory, Entra ID, and Intune

 

Entra ID Groups

I started by creating two new Security Groups in Entra ID that were used to limit the scope of the solution validation to specific Users and Devices. My test User account and Device were added to the respective Group.

 

Example
Cloud PKI Groups.png

 

License Assignment

The Cloud PKI license was assigned to the above Groups by logging into Microsoft 365 (https://admin.microsoft.com) and following these steps.

  • Navigate to Billing > Licenses
  • Select the Microsoft Cloud PKI subscription
  • Select the Groups tab and click Assign Licenses

 

M365 Group Assign Licenses.png

  • Select the Groups created in the prior step

 

The resulting license assignments are shown.

 

Example
Assign Licenses message.png

Licenses assigned.png

 

Confirm Group License Assignment in Intune

To confirm that Intune shows the license assignments, follow these steps:

  • Open the Intune admin center (https://intune.microsoft.com)
  • Navigate to Groups > All Groups and select the groups defined in the prior steps (e.g. Cloud PKI Users)
  • Navigate to Manage > Licenses

 

Intune group license assigned.png

 

Create the Cloud PKI Instance

Use the following steps to create the Cloud PKI instance.

  1. In the Intune admin center, navigate to Tenant administration > Cloud PKI
  2. On the Basics tab, provide the Name and (optional) Description and click Next

    cloud pki root basics.png

  3.  On the Configuration Settings, define the settings appropriate for your environment and click Next

    • As this CA will mainly be used for testing 802.1x, only the Client auth and OCSP signing EKUs were added

      Example
      cloud pki creation config settings 1.pngcloud pki creation config settings 2.png
  4. On the Scope tags tab, define any necessary tags for your environment (optional)
  5. On the Review + create tab, verify the settings are correct and click Create
  6. Repeat the above steps for the Issuing CA

Examples
cloud pki issuing basics.png

cloud pki issuing config 1.pngcloud pki issuing config 2.pngcloud pki issuing config 3.png

 

The resulting CAs will be shown.

Example

CA list.png

 

Download the Root and Issuing CA Certificates

In the Tenant administration > Cloud PKI blade, select the Root CA that was created.

  • Copy the URL for the CRL distribution point and save it locally
  • Next to the Download certificate field, click the Download button
  • Save the certificate to a secure location

 

Exampleroot ca cert download.png

 

  • Repeat the above steps to copy the SCEP URI and save it locally
  • Download the Issuing CA certificate and save it to a secure location

 

Exampleissuing ca cert download.png

 

Create Certificate Profiles

The following Certificate Profiles will be configured for this example lab:

  • Trusted certificate - Cloud PKI Root
  • Trusted certificate - Cloud PKI Issuing
  • Trusted certificate - ADCS (CA that signed the ISE EAP certificate)
  • SCEP Profile - User
  • SCEP Profile - Device

In the Intune admin center, navigate to Devices > Manage Devices > Configuration

 

Create Trusted Certificate Profile - Cloud PKI Root

  1. Click Create > New Policy
  2. Platform = Windows 10 and later
  3. Profile type = Templates
  4. Template name = Trusted certificate
  5. Click Create

    Example
    intune trusted cert profile.png

  6. On the Basics tab, define the Name and (optional) Description and click Next

    Example
    root cert profile basics.png

  7. On the Configuration settings tab, browse the Root CA certificate downloaded in the earlier step.
  8. For the Destination store, select Computer certificate store – Root
  9. Click Next

    Example
    root cert config settings.png
  10. On the Scope tags tab, select any tags necessary for your environment (optional)
  11. Click Next

  12. On the Assignments tab, Select Add Groups
  13.  Under the Included Groups section, select the Cloud PKI Devices group, Cloud PKI Users group, and/or any other Device groups to which the Root CA certificate should be deployed

    ** NOTE: The same User group that will be used to deploy the SCEP certificate must be included in this Trusted certificate profile.
    When creating the SCEP certificate profile in later steps, this Root profile is specified. If the User group is not included here, the SCEP Profile will remain in a Pending state.

  14. (Optional) Under the Excluded Groups section, select any Groups that should be explicitly excluded
  15. Click Next

    Example
    root cert assignments.png

  16. On the Applicability Rules tab, add any rule definitions required for your environment (optional)
  17. Click Next

  18. On the Review + create tab, verify the settings are correct and click Create

Exampleroot cert review.png

 

Create Trusted Certificate Profile - Cloud PKI Issuing

  1. Repeat steps 1 through 5 above to create a new Trusted certificate template
  2. On the Basics tab, define the Name and (optional) Description and click Next

    Example
    issuing cert basics.png

  3. On the Configuration settings tab, browse the Issuing CA certificate downloaded in the earlier step.
  4. For the Destination store, select Computer certificate store – Intermediate
  5. Click Next

    Example
    issuing cert config settings.png
  6. Repeat the steps above to define any necessary Scope tags, Device Group Assignments, and Applicability Rules
  7. On the Review + create tab, verify the settings are correct and click Create

Exampleissuing cert review.png

 

Create Trusted Certificate Profile - ADCS

  • Repeat the steps above to create a Trusted Certificate Profile for Root and Intermediate certificate(s) that signed the ISE EAP certificate

    Examples
    tui-dc1 trusted cert.pngtui-dc1 trusted cert basics.png

 

Create SCEP Profile – User Certificate

  1. Click Create > New Policy
  2. Platform = Windows 10 and later
  3. Profile type = Templates
  4. Template name = SCEP certificate
  5. Click Create

    Example
    scep user cert create.png

  6. On the Basics tab, define the Name and (optional) Description and click Next

    Example
    scep user cert basics.png

  7. On the Configuration settings tab, select the User Certificate type
  8. Input the Subject name format as per your requirements. For this example, I have defined the following:

    • CN = User Principal Name for the enrolled User (this value must be in the CN or SAN for ISE Authorization against Entra ID using REST ID)
    • OU = EntraID Users (defined for use as a matching condition in ISE policies)
    • O = TUI
    • L = Melbourne
    • ST = VIC
    • C = AU

  9. Input the Subject alternative name as per your requirements. For this example I have defined the following:

    • URI = ID:Microsoft Endpoint Manager:GUID:{{DeviceId}} (this value is used for ISE integration with Intune MDM for device Registration/Compliance checks)
    • Email address = Email address of the enrolled user

  10. Define the Certificate validity period as per your requirements
  11. Define the Key Storage Provider (KSP) to be used
  12. For the Key usage, select both Digital signature and Key encipherment
  13. Select the desired Key size and Hash algorithm
  14. Click the + Root certificate link and select the Trusted certificate profile created earlier for the Root CA certificate
  15. For the Extended key usage, use the drop-down for the Predefined values and select the Client authentication as well as any other desired EKUs
  16. Define the desired Renewal threshold (%)
  17. In the SCEP Server URLs field, paste in the SCEP URI string that was copied during the Cloud PKI Issuing CA configuration
  18. Click Next


    Example
    scep user cert config settings 1.pngscep user cert config settings 2.png

  19. On the Scope tags tab, select any tags necessary for your environment (optional)
  20. Click Next

  21. On the Assignments tab, Select Add Groups
  22.  Under the Included Groups section, select the Cloud PKI Users group and/or any other User groups to which the identity certificate should be deployed
  23. (Optional) Under the Excluded Groups section, select any Groups that should be explicitly excluded
  24. Click Next

    Example
    scep user cert assignment.png

  25. On the Applicability Rules tab, add any rule definitions required for your environment (optional)
  26. Click Next

  27. On the Review + create tab, verify the settings are correct and click Create

Examplescep user cert review 1.pngscep user cert review 2.png

 

Create SCEP Profile – Device

  1. Repeat step 1 through 5 above to create a new SCEP certificate template
  2. On the Basics tab, define the Name and (optional) Description and click Next


    Example
    scep device cert basics.png

  3. On the Configuration settings tab, select the Device Certificate type
  4. Input the Subject name format as per your requirements. For this example, I have defined the following:

    • CN = Device Name for the enrolled Device
    • OU = Entra Joined Device (defined for use as a matching condition in ISE policies)
    • O = TUI
    • L = Melbourne
    • ST = VIC

  5. Input the Subject alternative name as per your requirements. For this example, I have defined the following:

    • URI = ID:Microsoft Endpoint Manager:GUID:{{DeviceId}} (this value is used for ISE integration with Intune MDM for device Registration/Compliance checks)

      Example
      scep device config settings.png
  6. Repeat the steps above to configure the remaining settings as per your requirements
  7. Click Next
  8. Repeat the steps above to define the necessary Scope tags, Device Group Assignments, and Applicability Rules for your environment
  9. On the Review + create tab, verify the settings are correct and click Create

Example
scep device review 1.pngscep device review 2.png

 

Create a Wi-Fi Profile

  1. In the Intune admin center, navigate to Devices > Manage Devices > Configuration
  2. Click Create > New Policy
  3. Platform = Windows 10 and later
  4. Profile type = Templates
  5. Template name = Wi-Fi
  6. Click Create

    Example
    wifi profile.png

  7. On the Basics tab, define the Name and (optional) Description and click Next

    Example
    wifi profile basics.png

  8. Configure the Wifi Profile settings as per your environment and click Next

    Example
    wifi profile config settings 1.pngwifi profile config settings 2.png

    ** PLEASE NOTE **
    The Certificate server names description is a bit misleading. The values specified here must be the CN value(s) for the EAP certificate presented by ISE.
    The Profile selected under the Root certificates for server validation section must be the Root CA that signed the EAP certificate on the ISE PSN. This certificate would be signed by a different CA than the Microsoft Cloud PKI.

  9.  On the Scope tags tab, select any tags necessary for your environment (optional)
  10. Click Next

  11. On the Assignments tab, Select Add Groups
  12.  Under the Included Groups section, select the Cloud PKI Devices group and/or any other Device groups to which the Wifi profile should be deployed
  13. (Optional) Under the Excluded Groups section, select any Groups that should be explicitly excluded
  14. Click Next


    Example
    wifi profile assign.png

  15. On the Applicability Rules tab, add any rule definitions required for your environment (optional)
  16. Click Next

  17. On the Review + create tab, verify the settings are correct and click Create

    Example    wifi profile review 1.pngwifi profile review 2.png

 

ISE Configuration

Now that the configuration is done on the Intune side, the remaining configuration must be completed in ISE.

 

Import the Cloud PKI Trust Chain to ISE

  1. On the Primary PAN, navigate to Administration > System > Certificate Management > Trusted Certificates
  2. Click Import
  3. Click the Choose File button and navigate to the Cloud PKI Root CA certificate downloaded in the early steps
  4. Define the Friendly Name
  5. Select the checkbox for the following options:
    • Trust for authentication within ISE
    • Trust for client authentication and Syslog

  6. Click Submit

    Example
    ise root cert import.png

  7. Repeat the steps above for the Cloud PKI Issuing CA certificate downloaded in the early steps

You should now see the certificates for all required trust chains in the Trusted Certificates page.

Example
ise trusted certs.png

In this example, the TUI-DC1-CA is the Root CA that signed the ISE EAP Certificate

ise eap cert cn.png

 

Configure the CRL Distribution Point

  1. On the Trusted Certificates page, select the Issuing certificate and click Edit
  2. Scroll down to the Certificate Status Validation section
  3. In the Certificate Revocation List Configuration section, select the Download CRL checkbox
  4. In the CRL Distribution URL field, paste the CRL distribution point URL saved in the early steps
  5. Configure any additional settings as per your requirements and click Save

Example
ise crl config.png

ISE Policy Configuration

The use case for validating the Cloud PKI solution is similar to the one defined in the following document:

Configure ISE 3.2 EAP-TLS with Microsoft Azure Active Directory

The relevant ISE policy elements configured for this use case include the following:

  • Certificate Authentication Profile
  • Authentication Policy
  • Authorization Policies

 

Certificate Authentication Profile

A Certificate Authentication Profile (CAP) is created to define the certificate attribute that ISE will use for identity. In this example, the Subject – Common Name will be used for identity.

As no Authentication can be performed against Entra ID, the Identity Store is set to [not applicable]

Example
ise cap.png

 

Authentication Policy

An Authentication Policy is defined with the following conditions:

  • Certificate issuer matching the CN of the Cloud PKI Issuing CA
  • Certificate subject OU matching either the ‘TUI Entra Joined Device’ or ‘EntraID Users’ values defined in the Intune SCEP certificate profiles for the Device and User, respectively
  • Authentication using the CAP defined above

Example

ise authC policy.png
 
 

Authorization Policy

Two Authorization Policies are configured for this example use case; one for the User session, and one for the Device session.

The Authorization Policy is defined for the User session with the following conditions:

  • Certificate issuer matching the CN of the Cloud PKI Issuing CA
  • Certificate subject OU matching the ‘EntraID Users’ value defined in the Intune SCEP certificate profile for the User
  • A REST ID lookup against the Microsoft Graph API for User membership in the Cloud PKI Users Entra ID Group

 

The Authorization Policy is defined for the Device session with the following conditions:

  • Certificate issuer matching the CN of the Cloud PKI Issuing CA
  • Certificate subject OU matching the ‘TUI Entra Joined Device’ value defined in the Intune SCEP certificate profiles for the Device

    Exampleise authZ policy.png

 

ISE Live Logs

The following screenshot shows the ISE Live Logs for the Device and User sessions from the Intune-enrolled test Windows VM.

Example
ise live logs.png

The detailed logs show the certificate Subject and Issuer attributes that were configured for the Certificate Profiles in Intune.

Example
ise detailed session logs.png

 

Client Certificate Attributes

On the Windows client, use the MMC Certificate snap-ins to view the details of the certificate chain as well as the Device (Computer) and User certificates. Viewing the Computer certificate store requires local administrator permissions.

Device (Computer) Certificate examples

 

Example - Computer Root CA Certificatescloud device root cert.png


Example - Computer Intermediate CA Certificatescloud device issuing certs.png


Example - Computer Identity Certificatecloud device cert.png


Example - Computer Identity Certificate Issuer
cloud device cert issuer.png


Example - Computer Identity Certificate Subject
cloud device cert subject.png
 

Example - Computer Identity Certificate Subject
cloud device cert san.png


Example - Computer Identity Certificate Path

cloud device cert path.png


Example - User Identity Certificate
cloud user cert.png

Example - User Identity Certificate Issuer
cloud user cert issuer.png

 Example - User Identity Certificate Path
cloud user cert path.png

 

Client Supplicant Attributes

The following screenshots show the example Windows supplicant configuration applied by the Wifi Profile settings defined in Intune. To view these supplicant settings, you may need local administrator privileges and you must be connected to the SSID.

  • Open the Control Panel and navigate to Network and Internet > Network Sharing Center
  • Click on the Wifi connection

Example
supplicant wifi connection.png

 

  • Click on the Wifi Properties button


    Example
    wifi properties.png
  • Click on the Security tab
  • Click the Settings button

Example - Properties
win eaptls connect to servers.png

 

  • Click the Advanced button to see the certificate selection settings

 

Example - Certificate Selection Settings
win eaptls cert matching.png

 

Comments
Villager
Level 1
Level 1
‎09-29-2024 04:11 AM

Thanks, It's more helpful, keep going work! 

karam.nashwan
Level 1
Level 1
‎10-25-2024 03:22 PM

I've been testing the exact same solution with minor change, I'm using radiusaas.com instead of Cisco ISE.
the WIFI authentication was Ok, however I'm still not able to authenticate wired clients via same method (certificates).

Stephen.Mize
Level 1
Level 1
‎12-05-2024 01:53 PM

Has anyone implemented this?  What is your experience?  Looking to do this in our environment,.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents