Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1203
Views
2
Helpful
3
Replies

Cisco Anyconnect ISE Posture with intune

Go to solution
ipagliani
Level 1
Level 1

‎07-21-2023 05:49 AM

Ciao,

starting from this document: https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72427.html I understand that integrates Microsoft InTune for posture validation via VPN, is not a long term solution:

For VPN-based endpoints, rely solely on the MAC address as the unique identifier with the MDM. This might not be possible with later versions of some operating systems which prevent access by applications to the MAC address. When this is not possible, until a holistic solution is available that replaces the use of a UDID for integration with Intune, customers might choose to use ISE posture in order to check for security compliance as an alternative to verification against Intune. Refer to the ISE Posture Prescriptive Deployment Guide for further information.

So question is: using ISE posture policy, how can I test/check that the PC is an Intune client erolled ? Any regkey ? or other

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-21-2023 06:01 AM - edited ‎07-21-2023 06:03 AM

@ipagliani you don't necessarily need to use ISE posture, you can just integrate ISE and Intune, then use the MDM dictionary attributes such as DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) in an Authorisation rule.

RobIngram_0-1689944351869.png

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to ipagliani

‎07-21-2023 06:50 AM

@ipagliani when ISE is integrated with Intune (as per the guides below) ISE will query Intune for the endpoint to determine whether its registered, it compliance status etc.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-cisco-ise-mdm-with-microsoft-intune/ta-p/4187375

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217290-integrate-intune-mdm-with-identity-servi.html

The MDM status would be more secure and I wouldn't rely on the MAC address.

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎07-21-2023 06:01 AM - edited ‎07-21-2023 06:03 AM

@ipagliani you don't necessarily need to use ISE posture, you can just integrate ISE and Intune, then use the MDM dictionary attributes such as DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) in an Authorisation rule.

RobIngram_0-1689944351869.png

 

Go to solution
ipagliani
Level 1
Level 1
In response to Rob Ingram

‎07-21-2023 06:37 AM

Ciao,

Rob Ingram thank for replay. How does ISE associate the client for DeviceCompliantStatus (compliant|noncompliant) or DeviceRegisterStatus (true|false) for this query?

Assuming MAC-address will not long support and GUID is not supported yet.

Thanks

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ipagliani

‎07-21-2023 06:50 AM

@ipagliani when ISE is integrated with Intune (as per the guides below) ISE will query Intune for the endpoint to determine whether its registered, it compliance status etc.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-cisco-ise-mdm-with-microsoft-intune/ta-p/4187375

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217290-integrate-intune-mdm-with-identity-servi.html

The MDM status would be more secure and I wouldn't rely on the MAC address.

 

Customers Also Viewed These Support Documents