Re: ISE Integration with Entra-joined Devices/Users

GregoryLeggett · ‎04-05-2024

My organization is working on migration path to Win11 (Entra joined), with hybrid user accounts. According to the below posting, it was mentioned that TEAP (EAP-TLS) is not supported for Computer authentication or EAP-Chaining.

Cisco ISE with Microsoft Active Directory, Azure AD, and Intune

I have two questions about this;

Is this a limitation of ISE or with Windows11 being Entra joined? If ISE, could you please explain why EAP-Chaining and computer authentication are not supported?
We are currently using TEAP to solve the "chick and egg" problem outlined in the below posting. If TEAP cannot be used in an Entra joined environment, then what options are available to ensure that a user logging into a computer for the first time is able to build a user profile with certificate issuance, for user authentication?
EAP-TEAP: First time user login/chicken & egg scenario

@Greg Gibbs

Greg Gibbs · ‎04-07-2024

Authorization of an Entra Joined Device is not currently possible in ISE, and neither is EAP Chaining an authenticated User session and Computer session. This is specifically stated in the ISE 3.2 Release Notes

With Windows 11, most organisations are moving from the legacy on-corporate-network PC staging/build process that is controlled by SCCM and uses the PXE boot process to a Windows Autopilot process. For Autopilot, the user would just need a bare internet connection to complete the build, so this could be potentially be accomplished by connecting to a Guest BYOD portal or hotspot of some kind. Part of the AutoPilot process would be enrolment with Intune which would also enrol the Device/User certificates, after which point the user could connect to the secure Corporate network.