topic Re: MDM endpoint attributes cached in ISE for loss of connectivity? in Network Access Control

MDM endpoint attributes cached in ISE for loss of connectivity?

Greg Gibbs — Mon, 14 Jan 2019 20:59:51 GMT

Hi TME team,

Does ISE cache endpoint attributes related to MDM checks (like MDM.DeviceRegisterStatus) in the event that the MDM server becomes unreachable? If so, how long are they cached?

I'm doing some customer testing with SCCM and ISE 2.2 p9 and getting some inconsistent behaviour, so I need to know what the expected behaviour is for this scenario?

Do we have any validated best practices for design or policy configuration (e.g. using the 'MDM.ServerReachable' condition match) to mitigate endpoint authZ issues in the event that connectivity is lost to the MDM server?

Re: MDM endpoint attributes cached in ISE for loss of connectivity?

ma.alsaffar — Tue, 15 Jan 2019 07:18:57 GMT

Hi,

Dont know if the following document will help or not,
but i can consider it as best practice and have all info needed for integration
https://cisco-marketing.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/71727-102-1-139077/How%20to%20Integrate%20Microsoft%20SCCM%20with%20ISE%202.1.pptx.pdf

Re: MDM endpoint attributes cached in ISE for loss of connectivity?

Timothy Abbott — Tue, 15 Jan 2019 15:44:58 GMT

We have a MDM Deployment Guide that outlines best practice for integration of SCCM and ISE. As to whether or not ISE caches MDM attributes; I don't believe it does because ISE relies on SCCM to be the single source of truth when it needs compliance information for an endpoint tied to SCCM.

Regards,

-Tim

Re: MDM endpoint attributes cached in ISE for loss of connectivity?

Greg Gibbs — Wed, 16 Jan 2019 22:46:03 GMT

Thanks Tim. That would have been my expectation as well, but that's not what I've found in my testing.

I created some Monitor Only rules to track the attributes for ServerReachable and DeviceRegister easier in the logs. I tested both before and after blocking network connectivity from the ISE nodes to the SCCM server and found the following:

Before blocking SCCM:

After blocking SCCM:

Even more odd, if I disconnect and delete the endpoint from Context Visibility then reconnect it, the new session shows 'SCCM Reachable' even though the PSN still has no network connectivity to SCCM.

I don't know if this has anything to do with the bug fixed in P13 around Context Visibility not updating correctly, so I may have to test again with P13 applied. If I see the same behaviour, I might have to open a TAC case.

@Nidhi, any input here?

Re: MDM endpoint attributes cached in ISE for loss of connectivity?

Nidhi — Thu, 17 Jan 2019 10:31:01 GMT

Hello Greg,

It does look like it is getting saved in Cache. you might be hitting CSCvn70558 MDMServerReachable does not work for SCCM MDM again This issue was observed internally as well. There was a fix done for caching issue for MDM. I suggest 2 things here -

1- Raise a TAC case so that they can suggest you the right patch

2- Include MDMServerReachable also in your Policy.

Thanks,

Nidhi