09-19-2018 04:55 PM
Hi all,
I haven't found any good information detailing how ISE queries SCCM when integrated as a Desktop Device Manager.
I assume that ISE uses the Windows machine hostname as the identity for the query (WMI/API?) against SCCM to request Registration/Compliance status. Is there any documentation available that defines this in more detail?
For a PEAP or EAP-TLS user auth session, is ISE still able to query SCCM for the Registration/Compliance status of the related machine (assuming native supplicant with no EAP-Chaining)?
Solved! Go to Solution.
09-19-2018 05:10 PM
09-25-2018 08:22 AM
ISE uses user account which is member of SMS admin group to query the status of endpoints.
sample query looks like this -
select SMS_R_System.Name, SMS_G_System_CI_ComplianceState.CI_UniqueID, SMS_G_System_CI_ComplianceState.ComplianceState, SMS_G_System_CI_ComplianceState.LocalizedDisplayName, SMS_G_System_CH_ClientSummary.LastPolicyRequest from SMS_R_System left join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceId = SMS_R_System.ResourceId where (SMS_R_System.MacAddresses like ‘%MAC_ADDRESS%' OR SMS_G_System_NETWORK_ADAPTER.MACAddress like ‘%MAC_ADDRESS%') AND SMS_G_System_CI_ComplianceState.CI_UniqueID='ScopeId_5E0BA349-421B-4663-8E5F-3D2C408A3FA5/Baseline_28ff969f-cc82-4246-a15d-214d1489b076’
\
I am also in the process of documenting the details for the MDM flow and should be available in few days.
Thanks,
Nidhi
09-19-2018 05:10 PM
09-23-2018 03:46 PM
Thanks Jason. I've seen that PPT deck, but it's still pretty vague about the WMI comms between ISE and SCCM.
I was hoping we would have something with a bit more detail on what identity ISE uses in the WMI call (similar to MDM API call using MAC Address) so I could be sure that an SCCM registration check will work on a User Auth session.
I've setup SCCM in my home lab so I'll do some testing when I have a chance and update this post with my results.
09-24-2018 09:36 AM - edited 09-24-2018 11:33 AM
i asked our SME @Nidhito take a look
09-25-2018 08:22 AM
ISE uses user account which is member of SMS admin group to query the status of endpoints.
sample query looks like this -
select SMS_R_System.Name, SMS_G_System_CI_ComplianceState.CI_UniqueID, SMS_G_System_CI_ComplianceState.ComplianceState, SMS_G_System_CI_ComplianceState.LocalizedDisplayName, SMS_G_System_CH_ClientSummary.LastPolicyRequest from SMS_R_System left join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId left join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceId = SMS_R_System.ResourceId where (SMS_R_System.MacAddresses like ‘%MAC_ADDRESS%' OR SMS_G_System_NETWORK_ADAPTER.MACAddress like ‘%MAC_ADDRESS%') AND SMS_G_System_CI_ComplianceState.CI_UniqueID='ScopeId_5E0BA349-421B-4663-8E5F-3D2C408A3FA5/Baseline_28ff969f-cc82-4246-a15d-214d1489b076’
\
I am also in the process of documenting the details for the MDM flow and should be available in few days.
Thanks,
Nidhi
09-25-2018 02:45 PM
Thanks @Nidhi and @Jason Kunst.
If you can also include information on what constitutes a 'MDM.DeviceRegisterStatus=true' response from SCCM, that would be helpful.
In my home lab, I've performed a manual device discovery in SCCM for my test PC which includes the MAC Address but I still appear to be getting a 'MDM.DeviceRegisterStatus=false' response from SCCM. I don't currently have the SCCM Client deployed to the PC, but I'm not sure if that's required.
I would like to get some of this sorted out prior to trying to setup a PoC in my customer's environment.
10-09-2018 06:37 PM
Just to close the loop on this, I was able to get this working in my lab with the following caveats/observations.
10-09-2018 09:30 PM
Glad it worked !
Thanks
08-11-2020 06:58 AM
HI Greg,
tks for your information. Could you please help with my doubt?
The SCCM/MDM I check the rules before or after the Anyconnect posture? For example:
If registered and Compliance with MDM/SCCM and Posture NOT_EQUALS=Compliance redirect for install the client and remediation portal.
If registered and Compliance with MDM/SCCM and Posture EQUALS=Compliace permit the access. Is this the correct configuration?
08-11-2020 05:03 PM
ISE gets the MDM/DDM and ISE Posture information from two different sources. The MDM/DDM check is a real-time check against that system when the session hits that AuthZ rule. The ISE Posture check happens with the same logic (unless you the Posture lease enabled).
That said, I don't believe the combination of both MDM/DDM and ISE Posture has been tested, so I don't know if you will run into any order-of-operations or race condition issues with the MDM/DDM check and URL redirection.
IMHO, the MDM/DDM Compliance would likely provide similar if not more granular and centrally managed functionality than the ISE Posture Compliance checks, so I'm not sure what the value in using both would be.
If you decide to use both, I would highly suggest extensive testing in a non-Production followed by a Production Pilot environment prior to rolling it out to the wider Prod environment.
01-06-2021 11:00 AM
Tks Greg.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide