topic Re: ISE SCCM DDM endpoint registration check for user session in Network Access Control

ISE SCCM DDM endpoint registration check for user session

Greg Gibbs — Wed, 19 Sep 2018 23:55:00 GMT

Hi all,

I haven't found any good information detailing how ISE queries SCCM when integrated as a Desktop Device Manager.

I assume that ISE uses the Windows machine hostname as the identity for the query (WMI/API?) against SCCM to request Registration/Compliance status. Is there any documentation available that defines this in more detail?

For a PEAP or EAP-TLS user auth session, is ISE still able to query SCCM for the Registration/Compliance status of the related machine (assuming native supplicant with no EAP-Chaining)?

Re: ISE SCCM DDM endpoint registration check for user session

Jason Kunst — Thu, 20 Sep 2018 00:10:44 GMT

EAP chaining is not required

I believe a special registration id is setup between the agent ise and the server

Also the integration is special between Microsoft sccm and ise for a more tight package and easier streamlined on boarding

Have you checked this out?

https://community.cisco.com/t5/security-documents/ise-design-amp-integration-guides/ta-p/3621164#toc-hId--881615321

Re: ISE SCCM DDM endpoint registration check for user session

Greg Gibbs — Sun, 23 Sep 2018 22:46:53 GMT

Thanks Jason. I've seen that PPT deck, but it's still pretty vague about the WMI comms between ISE and SCCM.

I was hoping we would have something with a bit more detail on what identity ISE uses in the WMI call (similar to MDM API call using MAC Address) so I could be sure that an SCCM registration check will work on a User Auth session.

I've setup SCCM in my home lab so I'll do some testing when I have a chance and update this post with my results.

Re: ISE SCCM DDM endpoint registration check for user session

Jason Kunst — Mon, 24 Sep 2018 18:33:34 GMT

i asked our SME @Nidhito take a look

Re: ISE SCCM DDM endpoint registration check for user session

Nidhi — Tue, 25 Sep 2018 15:22:27 GMT

ISE uses user account which is member of SMS admin group to query the status of endpoints.

sample query looks like this -

select SMS_R_System.Name, SMS_G_System_CI_ComplianceState.CI_UniqueID, SMS_G_System_CI_ComplianceState.ComplianceState, SMS_G_System_CI_ComplianceState.LocalizedDisplayName, SMS_G_System_CH_ClientSummary.LastPolicyRequest from SMS_R_System left join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceId = SMS_R_System.ResourceId where (SMS_R_System.MacAddresses like ‘%MAC_ADDRESS%' OR SMS_G_System_NETWORK_ADAPTER.MACAddress like ‘%MAC_ADDRESS%') AND SMS_G_System_CI_ComplianceState.CI_UniqueID='ScopeId_5E0BA349-421B-4663-8E5F-3D2C408A3FA5/Baseline_28ff969f-cc82-4246-a15d-214d1489b076’

I am also in the process of documenting the details for the MDM flow and should be available in few days.

Thanks,

Nidhi

Re: ISE SCCM DDM endpoint registration check for user session

Greg Gibbs — Tue, 25 Sep 2018 21:45:09 GMT

Thanks @Nidhi and @Jason Kunst.

If you can also include information on what constitutes a 'MDM.DeviceRegisterStatus=true' response from SCCM, that would be helpful.

In my home lab, I've performed a manual device discovery in SCCM for my test PC which includes the MAC Address but I still appear to be getting a 'MDM.DeviceRegisterStatus=false' response from SCCM. I don't currently have the SCCM Client deployed to the PC, but I'm not sure if that's required.

I would like to get some of this sorted out prior to trying to setup a PoC in my customer's environment.

Re: ISE SCCM DDM endpoint registration check for user session

Greg Gibbs — Wed, 10 Oct 2018 01:37:43 GMT

Just to close the loop on this, I was able to get this working in my lab with the following caveats/observations.

SCCM does not consider the endpoint registered until the CM Client is installed and Active (PC calls home to SCCM). Manually registering an endpoint in SCCM (and adding the MAC address) does not work as SCCM returns a 'MDM.DeviceRegisterStatus=false' response.
The SCCM registration check works for both 802.1x computer and user sessions (user or computer auth setting in Windows)
The SCCM registration check works for both Wired and Wireless sessions. I would have to assume that the CM Client communicates all available MAC Addresses to SCCM (unlike other MDM vendors like JAMF, AirWatch, etc).

Re: ISE SCCM DDM endpoint registration check for user session

Nidhi — Wed, 10 Oct 2018 04:30:41 GMT

Glad it worked !

Thanks

Re: ISE SCCM DDM endpoint registration check for user session

Maiquel Consalter — Tue, 11 Aug 2020 13:58:07 GMT

HI Greg,

tks for your information. Could you please help with my doubt?

The SCCM/MDM I check the rules before or after the Anyconnect posture? For example:

If registered and Compliance with MDM/SCCM and Posture NOT_EQUALS=Compliance redirect for install the client and remediation portal.

If registered and Compliance with MDM/SCCM and Posture EQUALS=Compliace permit the access. Is this the correct configuration?

Re: ISE SCCM DDM endpoint registration check for user session

Greg Gibbs — Wed, 12 Aug 2020 00:03:12 GMT

ISE gets the MDM/DDM and ISE Posture information from two different sources. The MDM/DDM check is a real-time check against that system when the session hits that AuthZ rule. The ISE Posture check happens with the same logic (unless you the Posture lease enabled).

That said, I don't believe the combination of both MDM/DDM and ISE Posture has been tested, so I don't know if you will run into any order-of-operations or race condition issues with the MDM/DDM check and URL redirection.

IMHO, the MDM/DDM Compliance would likely provide similar if not more granular and centrally managed functionality than the ISE Posture Compliance checks, so I'm not sure what the value in using both would be.

If you decide to use both, I would highly suggest extensive testing in a non-Production followed by a Production Pilot environment prior to rolling it out to the wider Prod environment.

Re: ISE SCCM DDM endpoint registration check for user session

Maiquel Consalter — Wed, 06 Jan 2021 19:00:29 GMT

Tks Greg.