topic Re: ISE external MDM Intune integration returns old\wrong API version in Network Access Control

ISE external MDM Intune integration returns old\wrong API version

rogergh — Thu, 25 Aug 2022 07:07:07 GMT

Hi, we are trying to integrate our Microsoft Endpoint Manager (previously Intune) into Cisco ISE 3.1 Patch 3 as external MDM-server, but it always returns API version 2 instead of version 3 when testing connection. The documentation says version 3 is supported when using Microsoft Endpoint Manager. Enabling debug on the MDM-component reveals the following lines which seem to be relevant to the detection process:

2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.authtoken.MdmAzureActiveDirectoryClient -::::- Access token has acquired succesfully from Microsoft Azure. 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- inside the method : callMdmServerInfoApiOnMdmServer() 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- apiVersionSb : 3, mdmApiVersionSb : , tryWithV3 : false 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query String -> /ciscoise/mdminfo/?ise_api_version=3 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- MDM Rest API Server Query PATH String -> /ciscoise/mdminfo/?ise_api_version=3 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- 1. Connecting to the MDM server host fef.msub05.manage.microsoft.com using apiVersion 3 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: start HTTP request - connectionsUsed: 2, connectionsAvailable: 198 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: start HTTP request - connectionsUsed: 0, connectionsAvailable: 200 2022-08-24 15:01:05,195 DEBUG [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- ===mdmFlowInfo===null,=====serverType=====MobileDeviceManager,===serverAuthType===OAuth - Client Credentials 2022-08-24 15:01:05,195 INFO [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://fef.msub05.manage.microsoft.com/StatelessNACService/ciscoise/mdminfo/?ise_api_version=3 2022-08-24 15:01:05,322 INFO [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200 2022-08-24 15:01:05,326 DEBUG [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDom: end HTTP request - connectionsUsed: 2, connectionsAvailable: 198 2022-08-24 15:01:05,326 DEBUG [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- sendGETRequestDomNonComp: end HTTP request - connectionsUsed: 0, connectionsAvailable: 200 2022-08-24 15:01:05,326 DEBUG [admin-http-pool55][] cisco.cpm.mdm.api.MdmServerInfoApi -::::- returning from the method : callMdmServerInfoApiOnMdmServer() -> com.cisco.cpm.mdm.api.MdmServerInfoData Object { apiPath: /StatelessNacService/ciscodeviceinfo/mdm/api redirectUrl: https://portal.manage.microsoft.com/networkaccesscontrol/index queryMaxSize: 100 apiVersion: 2 vendor: Microsoft productName: Microsoft Intune productVersion: 5.0 COMMA: , errorMsg: null errorOccurred: false } 2022-08-24 15:01:05,893 ERROR [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to load the handler impl class 'com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler' com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler 2022-08-24 15:01:05,893 ERROR [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to get handler with name PxGridNotificationHandler 2022-08-24 15:01:05,893 WARN [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Handler with name 'PxGridNotificationHandler' is not loaded with impl class 'com.cisco.cpm.psqmgr.notification.PxGridNotificationHandler' 2022-08-24 15:01:05,894 ERROR [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to load the handler impl class 'com.cisco.cpm.eps.config.ConfigChangeHandler' com.cisco.cpm.eps.config.ConfigChangeHandler 2022-08-24 15:01:05,895 ERROR [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Unable to get handler with name EPSConfigChangeHandler 2022-08-24 15:01:05,895 WARN [admin-http-pool55][] pap.api.handler.impl.HandlerInfoImpl -::::- Handler with name 'EPSConfigChangeHandler' is not loaded with impl class 'com.cisco.cpm.eps.config.ConfigChangeHandler' 2022-08-24 15:01:05,911 DEBUG [admin-http-pool55][] cisco.cpm.mdm.pip.MdmSettingsNotificationHandler -::::- add / update mdm server to the local MDM servers cache MSEndpMgmt 2022-08-24 15:01:05,912 INFO [admin-http-pool55][] cisco.cpm.mdm.util.MdmServersCache -::::- MDM server - Status : InActive, mdm server id : REMOVEDFROMLOG and mdm server name : MSEndpMgmt

Anyone else made this work with API version 3?

Re: ISE external MDM Intune integration returns old\wrong API version

Mark Elsen — Thu, 25 Aug 2022 07:21:40 GMT

- Ref : https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72427.html

>...Configure the use of MDM APIv3 Microsoft Intune integration. This includes the deployment of certificates to all Intune registered endpoints and confirmation that those certificates are used for network authentication. For further information, see the Integrate MDM and UEM Servers with Cisco ISE Configuration Guide.

Check of any of the mentioned 'arguments' can be applicable to your case.

Re: ISE external MDM Intune integration returns old\wrong API version

Rob Ingram — Thu, 25 Aug 2022 07:21:49 GMT

@rogergh check out this Cisco video relating to configuring ISE 3.1 with Intune. https://www.youtube.com/watch?v=iAKyIHFqbgE

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Thu, 25 Aug 2022 08:01:19 GMT

@Mark Elsen The Azure application\registration is configured to use the Cisco ISE-certificate for authentication, and the Endpoint Manager device profiles are configured to deploy certificates from our PKI (with MS Connector for MEM\Intune) with the SAN URI as DeviceID (as per the documentation). We don't have to activate some other global MEM\Intune certificate config I assume?

@Rob Ingram The video seems very interesting, but from what I can see it doesn't seem to include configuring the External MDM-connector in ISE against MEM (Intune), only policy and endpoint-configuration after getting it up and running. Thanks anyway though, seems interesting for the post-config parts.

Re: ISE external MDM Intune integration returns old\wrong API version

Mark Elsen — Thu, 25 Aug 2022 12:00:39 GMT

- Check if there are any settings on Microsoft Endpoint Manager , where you could specify or set the api version to be used explicitly.

Re: ISE external MDM Intune integration returns old\wrong API version

Greg Gibbs — Thu, 25 Aug 2022 23:11:46 GMT

In the logs, I see an MDM response of 200. This should mean a successful response to the APIv3 query, so it looks like that should be working.

2022-08-24 15:01:05,195 INFO [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://fef.msub05.manage.microsoft.com/StatelessNACService/ciscoise/mdminfo/?ise_api_version=3 2022-08-24 15:01:05,322 INFO [admin-http-pool55][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200

What have you configured for the Device Identifier in the MDM server config? Have you disabled the 'Legacy MAC Address' option for identity? If not, ISE would likely be using both APIv2 and APIv3 during the lookups.
You might want to enable the TRACE level on the external-mdm log via the Debug Wizard, test an endpoint, and see what details you can see related to the session (deviceIdentifier, GUID, etc).

Example from my Webinar:

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Mon, 29 Aug 2022 09:42:15 GMT

Hi.

We can't adjust the settings for Device Identifier, since it only says that it supports API V2 (greyed out).
See the screenshots for our settings. I have removed client ID and Token Issuing URL in the picture only. They are correctly filled out in the settings.

Re: ISE external MDM Intune integration returns old\wrong API version

Greg Gibbs — Mon, 29 Aug 2022 22:22:32 GMT

The configuration on ISE and the API Permissions in Azure look correct.

Does your token endpoint have the following format?
https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

Did you upload the Admin certificate from ISE to the App Registration in Azure as described from Step 7 in the guide (https://www.cisco.com/c/en/us/td/docs/security/ise/UEM-MDM-Server-Integration/b_MDM_UEM_Servers_CiscoISE/chapter.html)?

Have you installed all of the Trusted Certificates listed in Step 25?

Was this an existing External MDM in ISE that you are re-configuring to use the APIv3 or are you configuring it as a new MDM? If it was already existing using APIv2, you might try configuring it as a new MDM to see if that resolves the issue.

I configured it as a new MDM in my lab as per the guide, and my ISE 3.1p3 instance states it supports APIv3.

If all of the above are correct, you might need to open a TAC case and provide the TRACE level external-mdm logs for further investigation.

Re: ISE external MDM Intune integration returns old\wrong API version

hslai — Tue, 30 Aug 2022 01:11:54 GMT

I saw similar in a customer case, whose TAC engaged the BU escalation team as well as Microsoft Intune team. FYI.

Re: ISE external MDM Intune integration returns old\wrong API version

Jeremybosch — Thu, 01 Sep 2022 12:34:24 GMT

We have a similair problem, not resolved. MDM connections to our production tenant return API v2 but if I hookup the MDM to our my test tentant it defaults to v3.

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Fri, 09 Sep 2022 13:40:22 GMT

Thanks for the replies, guys.

I guess we will have to open a TAC case and get this investigated.

Re: ISE external MDM Intune integration returns old\wrong API version

bart.t — Wed, 14 Dec 2022 10:17:06 GMT

@rogergh

Hi, we've the same issue currently and opened a TAC case as well. We see MDM respond with version 2 as well and TAC directs us now to the Intune Engineer to look for an option to simply enable V3 somehow.

So I'll do that. But...

How did it end for you? Was it fixed?

Thanks for sharing!

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Wed, 14 Dec 2022 11:10:12 GMT

@bart.t

Unfortunately the case progress has been very slow. After a lot of ISE log debugging, Cisco redirected us to Microsoft to verify that "version 3" is active and being sent, and then Intune support just redirect us to the integration guide and say that everything seems correct on their end (I'm not sure they understood what Cisco wants them to check, so I asked for a clarification from Cisco support as well, but haven't heard back yet). I can see from Microsoft documentation (https://learn.microsoft.com/en-us/mem/intune/protect/network-access-control-integrate) that they refer to their NAC-integration version as NAC 2.0, so the debug logs might actually return correct information (if it refers to Microsofts version numbering and not Cisco's, but I still need clarification from Cisco on this).

If you get any closer to a solution, let us know here as well 🙂

Re: ISE external MDM Intune integration returns old\wrong API version

bart.t — Wed, 14 Dec 2022 11:20:54 GMT

Thank you for your quick response. It's unfortunate that your case is dragging on as well. One would think Cisco and Microsoft should interact directly regarding which data is sent across and how it should be interpreted.

Thanks for sharing, I will as well for sure.

Re: ISE external MDM Intune integration returns old\wrong API version

bart.t — Thu, 12 Jan 2023 17:16:49 GMT

After a month of zero updates I went into ISE again to try and troubleshoot again but to no avail.

So I searched the forum again, found this topic and after that gave bugsearch a go again.

There I found the following bug: https://bst.cisco.com/bugsearch/bug/CSCwd84055

The following is stated and including a workaround:

Symptom:

While integrating ISE 3.1 with Azure AD/Intune for MDM, ISE reports that MDM only supports Cisco ISE API Version 2.

This occurs due to ISE incorrectly assuming that in the Azure Auto Discovery JSON, ComplianceRetrievalService (V3) appears before NACAPIService(V2). If Azure result has NACAPIService appearing first, ISE picks that endpoint and ignores ComplianceRetrievalService that appears further in the output.

ISE needs first look for ComplianceRetrievalService in the entire JSON before failing over to NACAPIService

Conditions:

Integrating ISE 3.1 with Azure AD and it reports that it support Version 2 and not Version 3.

Workaround:

To workaround this issue, Auto Discovery has to be set to No and we can specify the endpoint for Version 3 manually.

Hostname: fef..manage.microsoft.com

Port: 443

Instance: TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService

Did you already try and test this workaround?

I've just pointed our TAC engineer to this bug as a possible workaround.

The given symptoms and clarification matches your last post at least in essence.

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Fri, 13 Jan 2023 08:26:33 GMT

Very nice find, @bart.t !

This has solved the problem for us. Here is the steps I used to get it to work:

I first tried adding manual server, by using "fef.manage.microsoft.com" as server (which in my case resolved to "fef.msub06.manage.microsoft.com", but that did not work (401 Unauthorized error).

Then I completed the "Add new MDM server" with auto-discover and APIv2 just to check which server it retrieved, and it retrieved "fef.msub05.manage.microsoft.com" and a different "Instance name" than what is listed in the bug entry.

I then opened the entry and changed auto-discover to "No", then changed the "Instance name" manually to what was listed in the bug entry, and then it worked! "APIv3 supported"

Re: ISE external MDM Intune integration returns old\wrong API version

bart.t — Fri, 13 Jan 2023 08:49:09 GMT

@rogergh thanks for getting back so quickly!

Thanks for describing the steps taken.

Basically you just edited a working APIv2 Instance and made it manual and only changed the Instance name (Default: StatelessNACService) to TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService? So that whole pretty long string/path?

And maybe change the port to 443, although I suppose it defaults to 443.

I'll inform the customer and schedule a session to test those settings as well.

Thanks for the cooperation on this one!

Re: ISE external MDM Intune integration returns old\wrong API version

rogergh — Fri, 13 Jan 2023 09:25:33 GMT

Yes, correct. Changing the "Instance name" manually from a working auto-discover was the only real thing I needed to do, as port is 443 by default, and then click "Test connection". Then it would report APIv3 support and I was able to turn on SAN GUID-support. Specifying host name manually did not work for me, as the "fef.manage.microsoft.com" resolved to a subserver that returned 401 unauthorized error for me.

Re: ISE external MDM Intune integration returns old\wrong API version

laposilaszlo — Thu, 23 May 2024 07:57:11 GMT

Hi bart.t

I might be having the same problem, but i just don't understand where this workaround needs to be done, in ISE or in Intune?

Would you mind sending me some explanation?

Thanks,

Laszlo

Re: ISE external MDM Intune integration returns old\wrong API version

bart.t — Thu, 23 May 2024 08:24:01 GMT

Hi Laszlo, it's done on the MDM instance on the External MDM page in ISE (under Administration > Network resources).