Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

Failing Enroll for VPN users on Microsoft Intune MDM


My customer is integrating ISE and Microsoft Intune - for mobile devices for VPN users using ASA.

Redirection is happening to ISE portal but failing when we click on enroll with Microsoft Intune MDM server.

Below is the doc which lists the ports and services that the Intune client accesses:

I am wondering that how to construct the Redirect ACL on ASA for Microsoft Intune MDM server?

Please advise.

Craig Hyps

Unlike other MDM-type integrations that redirect clients to the MDM itself, Intune integration is based on ISE querying the Device Management server (Intune in this example) directly via WMI.  The query uses the client MAC address as the key.

However, in VPN scenarios, the situation is a bit more complex as MAC addresses are not visible at the IP/VPN layers.  ISE relies on special integration feature of the AnyConnect client and ASA to communicate the MAC address (if exposed by client OS) and other endpoint details over AnyConnect Identity EXtensions (aka ACIDEX).  

If properly sending ACIDEX attributes over VPN, then you will see cisco-av-pair=mdm-tlv attributes in RADIUS which will inform ISE about connected VPN endpoint.  ACIDEX support requires AC AC 3.1 MR5+ and ASA 9.2.1+.  If MAC address not retrieved, then query to Intune based on MAC cannot occur.

Thanks for the reply,

Can you please clarify about the Redirect ACL on ASA in regards of MDM - MS Intune

  • Do we need to add MDM IP address in it?
  • How should it be constructed on the ASA? Do you have example?

Redirect would be to ISE PSN DM portal so ISE can tell user if registered/compliant, not DM/MDM itself.  ISE communicates with DM server directly for the Intune/SCCM use cases. 

You would need to allow access to MDM for agent to server communication and potential remediation (assuming not mobile data connection).  The redirects should be configured similar to that of posture, but would be specific to the ISE DM portal port specified (for example, 844x). See following for info on Posture example: How To: ISE and ASA Integration using CoA for Posture

Here is my example in my recent ASA VPN posture testing:

ASAv-vpn# show running-config access-list

access-list postureUrlRedirect extended permit tcp any any eq www

If Intune requires HTTP/80 access, then we need to add an entry before the permit to deny its IP address(es).

Besides of the redirect ACL, please ensure either explicit or implicit ACL/DACL allow to go to Intune as well.

Content for Community-Ad