Hi, folks.

Has anyone run ISE with more than one Azure MDM connection (more than one tenant) successfully ??

A customer has several BusinessAreaUnits, each of them has its own MS Azure tenant ..... 

ISE is the central authen/autho platform and has MDM connections successfully configured for each of the tenants. 

If a client joins any Azure tenant, it receives a certificate and the issuing chain from the tenant.

The idea is to use the certificate it received for 802.1x authentication using EAP-TLS, which works fine.

Problems begin with authorization:

Since clients from both tenants need to be treated differently on the network, an authorization condition has been configured to check for the tenant the client belongs to.

The condition is using the MDMServerName attribute, like this:

The intention is to check if this condition returns "TRUE", if so, then we can be sure that this client is

a member of exactly this tenant, and proceed accordingly.

In addtion to this, the compliance of this client is checked using the MDM attribute DeviceCompliantStatus:

If both of these condition return "TRUE", the client is authorized and permitted onto the network.

This is what the authorization rule looks like:

Up to this point, this works perfectly .....

Now, if you add another authorization rule directly below this first one, using the exact same structure, only difference being the condition checking if the SECOND MDMServerName attribute is "TRUE", clients from the SECOND tenant will either falsely be associated with the tentant in the FIRST rule, or not associated to any tenant (and rule) at all (hitting the default-DENY rule) !!!!!

The second authorization rule will never get hit !!!!

Seems like ISE has problems differentiating configured MDM tenants ....

How is ISE handling these requests to MS Azure ?? Is this working like it supposed to be ??

Is there another way to differentiate MS Azure Clients from various tenants using 802.1x ???

Any clues will be appreciated......

Rgs

Frank