Solved: ISE 3.2 dot1x authentication with Intune issued certificates

Carlos T · ‎11-22-2023

Hi,

Requirement is to enable dot1x wired authentication/authorization for Intune registered devices. There is only Azure AD and Intune. There is NO On premise component (no on premise/traditional AD, or ADCS)

According to the following link, we need ADCS so Intune can issue certificates for the endpoints, so then ISE can use the certificate for authenticate and authorize the device/user.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune - Page 2 - Cisco Community

After the endpoint is registered with Intune, I see by default that Intunes push/deploy a certificate for the endpoint signed by "Microsoft Intune MDM Device CA".

Can this certificate be used for authentication and authorization? instead of using SCEpman or ADCS? I dont see it mentioned on the guide, they are just showing to use ADCS and on the QA they used SCEPman, but why not use the default cert provided by Intune?

Thanks!

Greg Gibbs · ‎11-22-2023

No, it is not possible to use the certificate issued by "Microsoft Intune MDM Device CA". This certificate is stored in the Computer certificate store. Windows will not present a Computer certificate for a dot1x User authentication session.

Even if it were a User certificate, there is no User Principal name nor the Intune GUID inserted in the CN or SAN field.

View solution in original post

Greg Gibbs · ‎11-22-2023

ISE is not involved in any part of the certificate enrolment. As long as the certificate includes the necessary attributes for relevant use case (UPN for User AuthZ against Entra ID; URI with GUID for Intune compliance check), there should be no issues.

ISE will need the CA Root chain (including any Intermediate/Issuing CAs) for SCEPman in the Trusted Certificates store to trust the certificate issued by the client. The client will need to trust the Root CA that signed the ISE EAP certificate in the Wired/Wifi Profile to trust the cert presented by ISE.

View solution in original post

Greg Gibbs · ‎11-22-2023

No, it is not possible to use the certificate issued by "Microsoft Intune MDM Device CA". This certificate is stored in the Computer certificate store. Windows will not present a Computer certificate for a dot1x User authentication session.

Even if it were a User certificate, there is no User Principal name nor the Intune GUID inserted in the CN or SAN field.

Carlos T · ‎11-22-2023

Thanks Greg, so the only option is to use the ADCS for the user/device certificates as mentioned on your document.

ADCS is a traditional solution. if we want a cloud only solution, SCEPman could be used. Is Cisco ok using Scepman instead of ADCS?

Thanks!

Greg Gibbs · ‎11-22-2023

ISE is not involved in any part of the certificate enrolment. As long as the certificate includes the necessary attributes for relevant use case (UPN for User AuthZ against Entra ID; URI with GUID for Intune compliance check), there should be no issues.

ISE will need the CA Root chain (including any Intermediate/Issuing CAs) for SCEPman in the Trusted Certificates store to trust the certificate issued by the client. The client will need to trust the Root CA that signed the ISE EAP certificate in the Wired/Wifi Profile to trust the cert presented by ISE.

Steve Burkett · ‎02-07-2024

In case you missed it, there is a Microsoft Cloud PKI service on the way as part of the Microsoft Intune Suite. SCEPman probably still works out cheaper though.

jitendrac · ‎04-18-2024

Any idea if ISE 3.3 support Microsoft Cloud PKI that can be used for EAP TLS with Microsoft Entra ID for user certificate based authentication ?