03-10-2018 02:17 AM
Hi,
My customer is integrating ISE and Microsoft Intune - for mobile devices for VPN users using ASA.
Redirection is happening to ISE portal but failing when we click on enroll with Microsoft Intune MDM server.
Below is the doc which lists the ports and services that the Intune client accesses:
https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements
I am wondering that how to construct the Redirect ACL on ASA for Microsoft Intune MDM server?
Please advise.
03-11-2018 08:17 AM
Unlike other MDM-type integrations that redirect clients to the MDM itself, Intune integration is based on ISE querying the Device Management server (Intune in this example) directly via WMI. The query uses the client MAC address as the key.
However, in VPN scenarios, the situation is a bit more complex as MAC addresses are not visible at the IP/VPN layers. ISE relies on special integration feature of the AnyConnect client and ASA to communicate the MAC address (if exposed by client OS) and other endpoint details over AnyConnect Identity EXtensions (aka ACIDEX).
If properly sending ACIDEX attributes over VPN, then you will see cisco-av-pair=mdm-tlv attributes in RADIUS which will inform ISE about connected VPN endpoint. ACIDEX support requires AC AC 3.1 MR5+ and ASA 9.2.1+. If MAC address not retrieved, then query to Intune based on MAC cannot occur.
03-12-2018 02:45 PM
Thanks for the reply,
Can you please clarify about the Redirect ACL on ASA in regards of MDM - MS Intune
03-12-2018 02:53 PM
Redirect would be to ISE PSN DM portal so ISE can tell user if registered/compliant, not DM/MDM itself. ISE communicates with DM server directly for the Intune/SCCM use cases.
You would need to allow access to MDM for agent to server communication and potential remediation (assuming not mobile data connection). The redirects should be configured similar to that of posture, but would be specific to the ISE DM portal port specified (for example, 844x). See following for info on Posture example: How To: ISE and ASA Integration using CoA for Posture
03-13-2018 08:39 AM
Here is my example in my recent ASA VPN posture testing:
ASAv-vpn# show running-config access-list
access-list postureUrlRedirect extended permit tcp any any eq www
If Intune requires HTTP/80 access, then we need to add an entry before the permit to deny its IP address(es).
Besides of the redirect ACL, please ensure either explicit or implicit ACL/DACL allow to go to Intune as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide