Solved: ISE and Intune - ISE not picking up Intune compliance chage

andrewswanson · ‎05-29-2020

Hi

I'm working on an ISE 2.6 patch 6 and MS Intune MDM integration for use with Anyconnect VPN clients.

I've successfully tested the ISE/Intune integration to poll Intune to retrieve the device compliant status which is used in ISE authorization policy.

When I connected a laptop that was non-compliant, the ISE RADIUS logs showed the attributes below and the laptop was correctly authorised as a non-compliant device

MDMServerReachable true
DeviceRegisterStatus true
DeviceCompliantStatus false

The problem I'm having is that when the laptop's compliance status changes to compliant, ISE seems to cache the previous DeviceCompliantStatus value and the laptop isn't authorised correctly. Extracts below from the ISE logs, show ISE polling MDM with the laptop mac and MDM responds with OK - ISE then schedules a CoA.

The only way I could get the now compliant laptop to be authorised correctly was to delete it from the ISE endpoint list. When the laptop reconnected to VPN, ISE polled Intune and learnt the correct DeviceCompliantStatus as being true.

Has anyone come across this issue with ISE 2.6 patch 6 and Intune - I found a bug CSCvg15776 which resembles the issue but only seems to affect ISE 2.2

Thanks
Andy

2020-05-29 12:38:09,301 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://FEF.amsub0102.manage.microsoft.com/StatelessNacService/ciscodeviceinfo/mdm/api/devices/?paging=0&querycriteria=macaddress&value=<LAPTOP-MAC>&filter=all
2020-05-29 12:38:09,401 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200
2020-05-29 12:38:09,472 WARN [MdmEventHandler-69-thread-1][] ise.sxp.notification.handlers.ApicSgtChangeHandler -::::- No need to register for config change on this PSN because sxp engine not configured on this node
2020-05-29 12:38:09,473 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.scheduler.MDMCoA -::::- MDM CoA is scheduled for approximately 2000 milliseconds from now
2020-05-29 12:38:10,135 WARN [PersistentWorker-1-11-thread-1][] ise.sxp.notification.handlers.ApicSgtChangeHandler -:::Profiling:- No need to register for config change on this PSN because sxp engine not configured on this node
2020-05-29 12:38:11,481 INFO [pool-13558-thread-1][] cisco.cpm.mdm.scheduler.MDMCoA -::::- MDM CoA is triggered

andrewswanson · ‎06-02-2020

Hi Rodd

Not much progress. Found that ISE eventually picks up the compliance change from false to true after a period of time - not sure if this is related to the ISE MDM Polling Interval (default 240 minutes).

I'll hopefully get some more testing done today. If you hear anything from TAC, please update the thread.

Thanks
Andy

View solution in original post

andrewswanson · ‎06-01-2020

Done a bit more testing with this with TRACE enabled for external MDM:

When an Intune device moves from Compliant to Non-Compliant status (true to false)

ISE detects this changed status through API call:

Response data received from the MDM server : <?xml version="1.0"?><ise_api> <name>attributes</name> <api_version>2</api_version> <paging_info>0</paging_info> <deviceList> <device> <macaddress><DEVICE-MAC></macaddress> <attributes> <register_status>false</register_status> <compliance> <status>false</status> </compliance> <pin_lock_on>false</pin_lock_on> <model>HP EliteBook 840 G5</model> <udid /> <serial_number><DEVICE-SERIAL></serial_number> <os_version>10.0.18363.778</os_version> </attributes> </device> </deviceList></ise_api>

ISE lists the device's DeviceCompliantStatus correctly as "false" and the device can be authorized correctly

When an Intune device moves from Non-Compliant to Compliant status (false to true)

ISE detects this changed status through API call:

Response data received from the MDM server : <?xml version="1.0"?><ise_api> <name>attributes</name> <api_version>2</api_version> <paging_info>0</paging_info> <deviceList> <device> <macaddress><DEVICE-MAC></macaddress> <attributes> <register_status>true</register_status> <compliance> <status>true</status> </compliance> <pin_lock_on>false</pin_lock_on> <model>HP EliteBook 840 G5</model> <udid /> <serial_number><DEVICE-SERIAL></serial_number> <os_version>10.0.18363.778</os_version> </attributes> </device> </deviceList></ise_api>

ISE still lists the device's DeviceCompliantStatus incorrectly as "false" and the device is not authorized correctly

Not sure why ISE isn't updating itself only when the compliance status changes from non-compliant to compliant. Can't open a TAC as this is an eval ISE node - can't find a bug for this as yet.

Andy

Rodd · ‎06-01-2020

Hi Andy,

I'm having the same issues with the same setup, however my ISE Server is 2.3.

Was wondering if you had any luck progressing.

I'm about to raise a TAC case.

If I get a resolution I'll pass it back here.

Rodd

andrewswanson · ‎06-02-2020

Hi Rodd

Not much progress. Found that ISE eventually picks up the compliance change from false to true after a period of time - not sure if this is related to the ISE MDM Polling Interval (default 240 minutes).

I'll hopefully get some more testing done today. If you hear anything from TAC, please update the thread.

Thanks
Andy

ramarao · ‎03-10-2021

Hi Andrew,

Are you able to solve the issue, as i am facing quite similar where the endpoint is compliant and after a minute it will be non-compliant, the compliant status change every minute, looking at the auth logs, device compliant status=false sometimes it is true.

Is it good idea if the time interval for compliance changed, instead of 1 minute, set to longer time, not sure if it will have any impact.

Polling interval is at 240 minutes.

Thx

Rama

naveen.gurjar · ‎05-11-2022

I too have a similar issue. how to enable trace logs from external MDM and get the above API call output? Kindly help!!