Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
1
Helpful
4
Replies

Failing Enroll for VPN users on Microsoft Intune MDM

musultan
Cisco Employee
Cisco Employee

‎03-10-2018 02:17 AM

Hi,

My customer is integrating ISE and Microsoft Intune - for mobile devices for VPN users using ASA.

Redirection is happening to ISE portal but failing when we click on enroll with Microsoft Intune MDM server.


Below is the doc which lists the ports and services that the Intune client accesses:

https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements


I am wondering that how to construct the Redirect ACL on ASA for Microsoft Intune MDM server?

Please advise.

4 Replies 4

Craig Hyps
Level 10
Level 10

‎03-11-2018 08:17 AM

Unlike other MDM-type integrations that redirect clients to the MDM itself, Intune integration is based on ISE querying the Device Management server (Intune in this example) directly via WMI.  The query uses the client MAC address as the key.

However, in VPN scenarios, the situation is a bit more complex as MAC addresses are not visible at the IP/VPN layers.  ISE relies on special integration feature of the AnyConnect client and ASA to communicate the MAC address (if exposed by client OS) and other endpoint details over AnyConnect Identity EXtensions (aka ACIDEX).  

If properly sending ACIDEX attributes over VPN, then you will see cisco-av-pair=mdm-tlv attributes in RADIUS which will inform ISE about connected VPN endpoint.  ACIDEX support requires AC AC 3.1 MR5+ and ASA 9.2.1+.  If MAC address not retrieved, then query to Intune based on MAC cannot occur.

0 Helpful

musultan
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎03-12-2018 02:45 PM

Thanks for the reply,

Can you please clarify about the Redirect ACL on ASA in regards of MDM - MS Intune

  • Do we need to add MDM IP address in it?
  • How should it be constructed on the ASA? Do you have example?
0 Helpful

Craig Hyps
Level 10
Level 10
In response to musultan

‎03-12-2018 02:53 PM

Redirect would be to ISE PSN DM portal so ISE can tell user if registered/compliant, not DM/MDM itself.  ISE communicates with DM server directly for the Intune/SCCM use cases. 

You would need to allow access to MDM for agent to server communication and potential remediation (assuming not mobile data connection).  The redirects should be configured similar to that of posture, but would be specific to the ISE DM portal port specified (for example, 844x). See following for info on Posture example: How To: ISE and ASA Integration using CoA for Posture

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to musultan

‎03-13-2018 08:39 AM

Here is my example in my recent ASA VPN posture testing:

ASAv-vpn# show running-config access-list


access-list postureUrlRedirect extended permit tcp any any eq www

If Intune requires HTTP/80 access, then we need to add an entry before the permit to deny its IP address(es).

Besides of the redirect ACL, please ensure either explicit or implicit ACL/DACL allow to go to Intune as well.

0 Helpful
Customers Also Viewed These Support Documents