cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7665
Views
15
Helpful
11
Replies
Highlighted
Beginner

ISE MDM integration with Azure/Intune

Hello,

I am trying to get our ISE 2.1 clean install to speak to our Azure/Intune App.

I have followed the following guides with no luck:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html

https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-networks

However I try and work it I get the following error:

Connection to server failed with:

Failed to acquire auth token from Azure AD. There is a problem with the Azure certificates or ISE trust store.
Please try with different settings.

I can see on the firewall the ISE making a 443 connection out when I run the test.

ISE 2.1 has the Baltimore root CA as standard

Has anyone got this working that can be more specific on the "self signed" ISE certificate as there is no information on if it needs to be "Used By" a specific function to work or not.

Also the guides don't seem to indicate exactly what the "Token Audience" should be and the default one cannot be resolved (https://api.manage.microsoft.com) but I am not sure if this matters.

Many thanks for any assistance.

Ash

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

So I got this working in the

So I got this working in the end:

I did a packet capture and saw that Azure was responding from the following URL:

https://stamp2.login.microsoftonline.com/

 

This was using a Symantec certificate unlike the pages the documentation states to get the certificates from (Digicert).

The ISE needed the chain to trust it and once I installed this it started working.

Also as Iliass states you need to use the default self signed not create a new one or you get a thumbprint error also.

So the documentation is not ideal but got there in the end.

View solution in original post

Highlighted
Enthusiast

Re: Hello Ash,

Update for others... You do use the PAN certificate for Admin role whether it's CA assigned or self-signed. Documentation is not clear on this. Wildcard certs work as well. Even though I had the CyberTrust root cert in trusted certs, I had to go to the Auto Discovery URL via web browser and get the Microsoft CA cert and add it to trusted certs (Microsoft IT TLS CA 1).

View solution in original post

11 REPLIES 11
Highlighted

Hello Ashley,

Hello Ashley,

I'm having the same issue; did you ever get this fixed ? Hereunder the steps I took:

- exported the default self-signed certificate from ISE (.pem file)

- changed the ".pem" extension to ".cer"

- removed begin and end certificate in the text

- ran the PowerShell script to get thumbprint, value & keyid

- created the Azure Application with permissions for Graph and Intune (documented in the link above)

- downloaded the manifest and updated with cert values

- uploaded the manifest without errors

ISE already contains the Baltimore root certificate, but I get the following error when configuring MDM:

Failed to acquire auth token from Azure AD. Error validating credentials. Client assertion contains an invalid signature. [Reason - The key was not found.,

Thanks a lot for any help.

Iliass

Highlighted
Beginner

Hi Iliass,

Hi Iliass,

No luck yet no.

I am going to set it up again and then raise a case with Microsoft to get the Azure/Intune side of it checked out as I am not convinced I have done everything I need to do there, and at least it will rule it out.

Out of interest what do you use for the "Token Audience" on the ISE, do you leave it as the default "https://api.manage.microsoft.com/" as I cant see that this actually resolves...

Cheers,

Ash

Highlighted

Hi Ash,

Hi Ash,

I use the url "https://api.manage.microsoft.com/" as documented in the doc. As you pointed out this doesn't resolve.

I'll do the setup again and if I find something I'll let you know.

Cheers,

Iliass

Highlighted

Hello Ash,

Hello Ash,

I finaly managed to get it working, the network admin exported the wrong certificate from ISE. When trying to connect, I received the error:

Failed to acquire auth token from Azure AD. Error validating credentials. Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'AC33728EAE517ECCE7CE49298538F8E66F1C5CAD',
Configured keys: [Key0:Start=09/21/2016, End=09/21/2017, Thumbprint=7DF7384D87FDB62123310C1DAE2A9563
5016513A;]] Check if either ISE certificates not being uploaded or problem with certificates already uploaded to App on Azure AD

In ISE we then checked every certificates thumbprint to match and there we realised we exported the wrong one. After exporting the correct cert and importing into Azure the ISE config went fine. Now I have to add the second ISE server's certificate into the KeyCredentials table as we have a cluster of 2 ISE nodes.

Hope it helps.

Kind regards,

Iliass

Highlighted
Beginner

Thats good to hear :) Im

Thats good to hear :) Im still trying to figure this one out.

Out of interest did you have anything more than I have below in the microsoft portal dashboard quick view:

Active Directory - Microsoft Azure

quick glance

Application type
Web application
Publisher
Company
URL
https://random.url.com

Application Role Assignments

Microsoft Graph
Read directory data
Microsoft Intune API
Get device state and compliance information from Microsoft Intune

OAuth 2.0 Permission Grants

Microsoft Graph
Access user's data anytime
Sign users in
Windows Azure Active Directory
Sign in and read user profile
Thanks,
Ash

Highlighted
Beginner

Re: Hello Ash,

Hello,

Which certificate form ISE did you use?

The documentation mentioned the default self-signed. But I have a dedicated certificate for ADMIN, and i guess i need to use that one. Right?

Should i also give to AZUR the root and sub which validate my certificate?

 

Thanks.

Highlighted
Beginner

Re: Hello Ash,

Hi,

All the personas were on the same server? Or you are using a large network deployment?

If it is a large deployment, are you using the certificate from your PSNs or PANs?

 

Thanks.

Highlighted
Enthusiast

Re: Hello Ash,

tmatzeu12,

Did you ever get an answer to your certificate question when using a CA assigned cert for admin? This is not clear in the documentation I have found so far. Docs found so far always say default self-signed certificate. Any help is greatly appreciated.

Highlighted
Enthusiast

Re: Hello Ash,

Update for others... You do use the PAN certificate for Admin role whether it's CA assigned or self-signed. Documentation is not clear on this. Wildcard certs work as well. Even though I had the CyberTrust root cert in trusted certs, I had to go to the Auto Discovery URL via web browser and get the Microsoft CA cert and add it to trusted certs (Microsoft IT TLS CA 1).

View solution in original post

Highlighted
Beginner

So I got this working in the

So I got this working in the end:

I did a packet capture and saw that Azure was responding from the following URL:

https://stamp2.login.microsoftonline.com/

 

This was using a Symantec certificate unlike the pages the documentation states to get the certificates from (Digicert).

The ISE needed the chain to trust it and once I installed this it started working.

Also as Iliass states you need to use the default self signed not create a new one or you get a thumbprint error also.

So the documentation is not ideal but got there in the end.

View solution in original post

Highlighted

Re: ISE MDM integration with Azure/Intune

I know this thread is old - but we ran into the same issue...  two tips that helped us:

 

1 - I loaded the ISE admin certs from all the nodes that would potentially become a PAN.  In our case it was a public cert and root.  It was no trouble adding multiples to the Azure manifest file.

 

2 - We had gotten stuck on the URL being graph.microsoft.net/<tenantID>.   The correct one in 2019 is graph.windows.net/<tenantID>.  The microsoft support people had this wrong, but a TAC engineer suggested the change and it worked.