topic Re: ISE Intune querying behavior. in Network Access Control

ISE Intune querying behavior.

Michaelkarper — Tue, 11 Jun 2024 10:27:18 GMT

Hey all,

I had a discussion about the ISE Intune querying behavior when hitting an authorization policy where there is no MDM condition/attribute defined. I do believe it does not do the query as it's not configured in the indentity source sequence as a join point.

Am I correct in the examples provided below? :

Policy conditions:

Top Policy:
Wireless_802.1X
Radius·Called-Station-ID - CONTAINS _ MDM_SSID AND
MDM·MDMServerName - EQUALS _ Intune_Dummy_server AND
MDM·DeviceCompliantStatus - EQUALS _ Compliant

In this case Intune_Dummy_server is queried.

Below top policy:
Wireless_802.1X
Radius·Called-Station-ID - CONTAINS _ AD_SSID AND
Network Access·EapAuthentication - EQUALS _ EAP-TLS AND
Dummy-AD·ExternalGroups - EQUALS _ Dummy.domain/Users/Domain Users

In this case Intune_Dummy_server is NOT queried.

Many thanks!

Re: ISE Intune querying behavior.

Greg Gibbs — Tue, 11 Jun 2024 22:14:57 GMT

An Identity Source Sequence is queried during the Authentication process, which is separate from the External MDM lookup that happens during the Authorization process.

ISE will perform an MDM lookup during the Authorization process if any of the MDM dictionary attributes are defined as a matching condition in the Authorization Policy that is evaluated.
If you only have a single External MDM defined, it is not required to use the 'MDMServerName' attribute. That is mainly needed when you have multiple MDMs in use to inform ISE which MDM it should perform the lookup on.

Re: ISE Intune querying behavior.

Michaelkarper — Wed, 12 Jun 2024 17:31:57 GMT

Hi Greg,

Awesome, thanks for confirming my suspicion.
I've added the MDMServerName as an example from an environment in which there is a Production MDM and an Acceptance MDM.

Flagged as solution!

Many thanks.