cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

267
Views
0
Helpful
3
Replies
Highlighted
Contributor

ISE and Intune - ISE not picking up Intune compliance chage

Hi


I'm working on an ISE 2.6 patch 6 and MS Intune MDM integration for use with Anyconnect VPN clients.

 

I've successfully tested the ISE/Intune integration to poll Intune to retrieve the device compliant status which is used in ISE authorization policy.

 

When I connected a laptop that was non-compliant, the ISE RADIUS logs showed the attributes below and the laptop was correctly authorised as a non-compliant device

 

MDMServerReachable true
DeviceRegisterStatus true
DeviceCompliantStatus false

 

The problem I'm having is that when the laptop's compliance status changes to compliant, ISE seems to cache the previous DeviceCompliantStatus value and the laptop isn't authorised correctly. Extracts below from the ISE logs, show ISE polling MDM with the laptop mac and MDM responds with OK - ISE then schedules a CoA.

 

The only way I could get the now compliant laptop to be authorised correctly was to delete it from the ISE endpoint list. When the laptop reconnected to VPN, ISE polled Intune and learnt the correct DeviceCompliantStatus as being true.

 

Has anyone come across this issue with ISE 2.6 patch 6 and Intune - I found a bug CSCvg15776 which resembles the issue but only seems to affect ISE 2.2

 

Thanks
Andy

 

2020-05-29 12:38:09,301 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.util.MdmRESTClient -::::- GET: MDM Server URL: https://FEF.amsub0102.manage.microsoft.com/StatelessNacService/ciscodeviceinfo/mdm/api/devices/?paging=0&querycriteria=macaddress&value=<LAPTOP-MAC>&filter=all
2020-05-29 12:38:09,401 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.util.MdmRESTClient -::::- MDM Server Response Code: 200
2020-05-29 12:38:09,472 WARN [MdmEventHandler-69-thread-1][] ise.sxp.notification.handlers.ApicSgtChangeHandler -::::- No need to register for config change on this PSN because sxp engine not configured on this node
2020-05-29 12:38:09,473 INFO [MdmEventHandler-69-thread-1][] cisco.cpm.mdm.scheduler.MDMCoA -::::- MDM CoA is scheduled for approximately 2000 milliseconds from now
2020-05-29 12:38:10,135 WARN [PersistentWorker-1-11-thread-1][] ise.sxp.notification.handlers.ApicSgtChangeHandler -:::Profiling:- No need to register for config change on this PSN because sxp engine not configured on this node
2020-05-29 12:38:11,481 INFO [pool-13558-thread-1][] cisco.cpm.mdm.scheduler.MDMCoA -::::- MDM CoA is triggered

3 REPLIES 3
Highlighted
Contributor

Re: ISE and Intune - ISE not picking up Intune compliance chage

Done a bit more testing with this with TRACE enabled for external MDM:

 

When an Intune device moves from Compliant to Non-Compliant status (true to false)

  • ISE detects this changed status through API call:

Response data received from the MDM server : <?xml version="1.0"?><ise_api> <name>attributes</name> <api_version>2</api_version> <paging_info>0</paging_info> <deviceList> <device> <macaddress><DEVICE-MAC></macaddress> <attributes> <register_status>false</register_status> <compliance> <status>false</status> </compliance> <pin_lock_on>false</pin_lock_on> <model>HP EliteBook 840 G5</model> <udid /> <serial_number><DEVICE-SERIAL></serial_number> <os_version>10.0.18363.778</os_version> </attributes> </device> </deviceList></ise_api>

 

  • ISE lists the device's DeviceCompliantStatus correctly as "false" and the device can be authorized correctly


When an Intune device moves from Non-Compliant to Compliant status (false to true)

 

  • ISE detects this changed status through API call:

 

Response data received from the MDM server : <?xml version="1.0"?><ise_api> <name>attributes</name> <api_version>2</api_version> <paging_info>0</paging_info> <deviceList> <device> <macaddress><DEVICE-MAC></macaddress> <attributes> <register_status>true</register_status> <compliance> <status>true</status> </compliance> <pin_lock_on>false</pin_lock_on> <model>HP EliteBook 840 G5</model> <udid /> <serial_number><DEVICE-SERIAL></serial_number> <os_version>10.0.18363.778</os_version> </attributes> </device> </deviceList></ise_api>

 

  • ISE still lists the device's DeviceCompliantStatus incorrectly as "false" and the device is not authorized correctly

 

Not sure why ISE isn't updating itself only when the compliance status changes from non-compliant to compliant. Can't open a TAC as this is an eval ISE node - can't find a bug for this as yet.

 

Andy

 

Highlighted
Beginner

Re: ISE and Intune - ISE not picking up Intune compliance chage

Hi Andy,

I'm having the same issues with the same setup, however my ISE Server is 2.3.

Was wondering if you had any luck progressing.

I'm about to raise a TAC case.

If I get a resolution I'll pass it back here.

Rodd

Highlighted
Contributor

Re: ISE and Intune - ISE not picking up Intune compliance chage

Hi Rodd

 

Not much progress. Found that ISE eventually picks up the compliance change from false to true after a period of time - not sure if this is related to the ISE MDM Polling Interval (default 240 minutes).

 

I'll hopefully get some more testing done today. If you hear anything from TAC, please update the thread.

 

Thanks
Andy