06-11-2024 02:19 AM - edited 06-11-2024 03:27 AM
Hey all,
I had a discussion about the ISE Intune querying behavior when hitting an authorization policy where there is no MDM condition/attribute defined. I do believe it does not do the query as it's not configured in the indentity source sequence as a join point.
Am I correct in the examples provided below? :
Policy conditions:
Top Policy:
Wireless_802.1X
Radius·Called-Station-ID - CONTAINS _ MDM_SSID AND
MDM·MDMServerName - EQUALS _ Intune_Dummy_server AND
MDM·DeviceCompliantStatus - EQUALS _ Compliant
In this case Intune_Dummy_server is queried.
Below top policy:
Wireless_802.1X
Radius·Called-Station-ID - CONTAINS _ AD_SSID AND
Network Access·EapAuthentication - EQUALS _ EAP-TLS AND
Dummy-AD·ExternalGroups - EQUALS _ Dummy.domain/Users/Domain Users
In this case Intune_Dummy_server is NOT queried.
Many thanks!
Solved! Go to Solution.
06-11-2024 03:14 PM
An Identity Source Sequence is queried during the Authentication process, which is separate from the External MDM lookup that happens during the Authorization process.
ISE will perform an MDM lookup during the Authorization process if any of the MDM dictionary attributes are defined as a matching condition in the Authorization Policy that is evaluated.
If you only have a single External MDM defined, it is not required to use the 'MDMServerName' attribute. That is mainly needed when you have multiple MDMs in use to inform ISE which MDM it should perform the lookup on.
06-11-2024 03:14 PM
An Identity Source Sequence is queried during the Authentication process, which is separate from the External MDM lookup that happens during the Authorization process.
ISE will perform an MDM lookup during the Authorization process if any of the MDM dictionary attributes are defined as a matching condition in the Authorization Policy that is evaluated.
If you only have a single External MDM defined, it is not required to use the 'MDMServerName' attribute. That is mainly needed when you have multiple MDMs in use to inform ISE which MDM it should perform the lookup on.
06-12-2024 10:31 AM
Hi Greg,
Awesome, thanks for confirming my suspicion.
I've added the MDMServerName as an example from an environment in which there is a Production MDM and an Acceptance MDM.
Flagged as solution!
Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide