Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
1
Helpful
2
Replies

ISE Intune querying behavior.

Go to solution
Michaelkarper
Level 1
Level 1

‎06-11-2024 02:19 AM - edited ‎06-11-2024 03:27 AM

Hey all, 

I had a discussion about the ISE Intune querying behavior when hitting an authorization policy where there is no MDM condition/attribute defined. I do believe it does not do the query as it's not configured in the indentity source sequence as a join point. 

Am I correct in the examples provided below? :

Policy conditions: 

Top Policy: 
Wireless_802.1X
Radius·Called-Station-ID -         CONTAINS _ MDM_SSID               AND
MDM·MDMServerName -           EQUALS _ Intune_Dummy_server  AND
MDM·DeviceCompliantStatus  -  EQUALS _ Compliant

In this case Intune_Dummy_server is queried.

Below top policy: 
Wireless_802.1X
Radius·Called-Station-ID -                CONTAINS _  AD_SSID   AND
Network Access·EapAuthentication - EQUALS _ EAP-TLS        AND
Dummy-AD·ExternalGroups -            EQUALS _ Dummy.domain/Users/Domain Users

In this case Intune_Dummy_server is NOT queried.

Many thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-11-2024 03:14 PM

An Identity Source Sequence is queried during the Authentication process, which is separate from the External MDM lookup that happens during the Authorization process.

ISE will perform an MDM lookup during the Authorization process if any of the MDM dictionary attributes are defined as a matching condition in the Authorization Policy that is evaluated.
If you only have a single External MDM defined, it is not required to use the 'MDMServerName' attribute. That is mainly needed when you have multiple MDMs in use to inform ISE which MDM it should perform the lookup on.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-11-2024 03:14 PM

An Identity Source Sequence is queried during the Authentication process, which is separate from the External MDM lookup that happens during the Authorization process.

ISE will perform an MDM lookup during the Authorization process if any of the MDM dictionary attributes are defined as a matching condition in the Authorization Policy that is evaluated.
If you only have a single External MDM defined, it is not required to use the 'MDMServerName' attribute. That is mainly needed when you have multiple MDMs in use to inform ISE which MDM it should perform the lookup on.

Go to solution
Michaelkarper
Level 1
Level 1
In response to Greg Gibbs

‎06-12-2024 10:31 AM

Hi Greg, 

Awesome, thanks for confirming my suspicion. 
I've added the MDMServerName as an example from an environment in which there is a Production MDM and an Acceptance MDM.

Flagged as solution!

Many thanks. 

 

0 Helpful
Customers Also Viewed These Support Documents