ótimo trabalho,  muito útil assim nos da subsídios pra atualizar o mais rápido possível 

@Adonay dos Anjos ... thanks !!!

Interesting...thanks for sharing!

@Martin L ... thanks a lot !!!

I opened a case with TAC on this but all they're saying is that I need to upgrade to 3.2 Patch 7 to avoid issues.

But Microsoft's KB article (KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support) states that after February 2025, weak mapping will prevent users from authenticating - and all of the attributes available in ISE, including Subject Alternative Name, are considered weak. This is even detailed in the Cisco Field Notice on this issue "...After the changes introduced by Microsoft (KB5014754), endpoint authentication may fail when SAN is used for identity lookups against Active Directory."

So is there something else that needs to be done here? Based on Microsoft's KB article, it seems like authentication will break against AD even if you are patched to the appropriate ISE version. 

My worry is that this Field Notices focuses heavily on InTune URI's and GUID's but does not adequately address scenarios where certificates are authenticated against Active Directory only (no InTune). 

The Work Around / Solution, and Additional Information sections, only deal with InTune deployed certificates. 

The Field Notice glosses over Active Directory. They mention this:

"Certificate attribute lookups against external identity stores: When endpoints authenticate using certificate-based EAP authentication, Cisco ISE allows certificate attributes to be matched using Certificate Authentication Profiles. After the changes introduced by Microsoft, endpoint authentication may fail when SAN is used for identity lookups against Active Directory."

And that's it. No workaround or solution for people using SANs against Active Directory with their Certificate Profile. 

Microsoft's KB article is alarming. If you don't enable compatibility mode before February 2025, I feel that this may have impact for a lot of people even if you're on the appropriately patched version of ISE. 

Acording to Microsoft: "Unless updated to Audit mode or Enforcement mode by using the StrongCertificateBindingEnforcement registry key earlier, domain controllers will move to Full Enforcement mode when the February 2025 Windows security update is installed. Authentication will be denied if a certificate cannot be strongly mapped. The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported"

Hi Shorty, I am also seriously worried regarding this field notice. I am happy that Cisco informed about this, this is fine. Thank you.

But information withing field notice is not clear.

CSCwk73785 contains 2 conditions. After reading at least I understand these conditions are in OR-relationship not AND.

So why FN is describing more the second condition and the first one "not strongly mapped to Active Directory (AD), certificate-based login for users and/or devices on the local AD will fail when Microsoft Windows enforces strong mapping from Feb 11, 2025" is not taken to serious attention.

As it is written like this I understand no mather what you are doing with Cisco ISE, it depends more from how Windows OS will start behave from 11.2.2025. It seems to me, this is more about Windows Domain Controllers and Windows endpoint devices.

Where is the connection to Authenticator ?

OR MS is speaking just about their NPS(radius) ?

There is still a lot of FOG around this issue.

To a better understand of this issue, please take a look at Impact of Microsoft KB5014754 with ISE and EAP-TLS authentication, search for @Greg Gibbs excellent explanation.