05-03-2024 05:45 AM
Dear Cisco Community,
sofar i understand, it is possible to authenticat device using its certificate. The Authentication in this case is only based on the device presenting a valid certificate that is trusted by ISE.
is it possible to leverage REST ID to perform the Group/Attribute lookup as a condition for authorization? when no what is alternatives while Computer Authentication is deployed
Cisco ISE with Microsoft Active Directory, Azure AD, and Intune
Solved! Go to Solution.
05-05-2024 05:57 PM
No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.
As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.
05-05-2024 05:57 PM
No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.
As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.
05-05-2024 11:22 PM
Many Thanks Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide