Solved: Re: Azure ID ISE 3.2 dot1x Device EAP-TLS Authentication/Authorization

mzarli · ‎05-03-2024

Dear Cisco Community,

sofar i understand, it is possible to authenticat device using its certificate. The Authentication in this case is only based on the device presenting a valid certificate that is trusted by ISE.

is it possible to leverage REST ID to perform the Group/Attribute lookup as a condition for authorization? when no what is alternatives while Computer Authentication is deployed

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune

@Greg Gibbs

Greg Gibbs · ‎05-05-2024

No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.

As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.

View solution in original post

Greg Gibbs · ‎05-05-2024

No, it is not currently possible to authorize an Entra Joined 'Device' based on Entra Groups/Attributes using REST ID. REST ID currently only supports User Group/Attribute lookups.

As per the 'Authentication/Authorization of an Entra Joined Device using EAP-TLS' use case in the document you referenced, you can use Intune Registration/Compliance checks as a condition for Authorization. If you need differentiated authorization for different Devices, you would need to define different certificate attributes (like OU) pushed to those devices and use those attribute matches in ISE to provide differentiated authorization.

mzarli · ‎05-05-2024

Many Thanks Greg