cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1397
Views
0
Helpful
3
Replies

ISE2.0 and MDM periodic Compliance Check not working

mverbon
Level 1
Level 1

Hi all,

I have configured ISE2.0 with External MDM using Meraki.

It seems that the periodic Compliance Check towards the MDM Server is not working.

For testing purposes I have configured the External MDM setting Polling Interval to 5 minutes.

The device is connected to the Wireless Network, status compliant.

Then I change something on the Device, MDM Meraki Systems Manager is changing the status for this Device to NON compliant.

However on ISE there is nothing happening in regards to periodic compliancy check tot the MDM server, no check -> no CoA.

To be sure, I have waited for about 20 minutes, nothing happened.

Only when I perform an edit of the MDM Server and hit the Test Connection, the compliancy status is renewed from the MDM Server.

And almost at the same moment I see that ISE is performing a CoA for the device.

Placing this device in a restricted status with a new ACL and activating the MDM Portal URL.

Anyone seen this behavior?

Searched for BUGS and it looks only a little bit like BUG ID CSCuq71479. But I think it is not the same behavior I see.

Thanks and best regards,

Martin

1 Accepted Solution

Accepted Solutions

Martin,

Thanks for testing that out.  The good news is that while this isn't what you were expecting to happen, most mobile devices do not stay connect continuously.  Common mobile device usage shows individuals using their device for a while then locking it.  The device usually goes to sleep and disconnects from the network.  When it is waked by the user, it will re-authenticate.  This is when ISE would recheck for compliance in this scenario.  That being said, it still sounds to me like there is an issue with MDM polling.  If possible, would you be able to open a TAC case in the event it is a defect?

Regards,

-Tim

View solution in original post

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

Martin,

I'm curious of what the outcome would be if you've tried the following:

1. Connect the device to the network while its compliant (access should be granted).

2. Disconnect the device from the network.

3. Modify the device so it is no longer compliant. (verify in Meraki)

4. Attempt to reconnect the device to the network while non-compliant.

What are the results?  Does the device gain complaint-level network access or does it gain non-compliant network access.

Regards,

-Tim

Hi Tim,

Thanks for the reply.

Did it the other way around, because from my previous test the device was still NON Compliant.

So, with the device NON Compliant I connected the device to wireless.

ISE detects directly it is NON Compliant, so I think ISE communicates with the MDM on a connect to tthe Wireless.

Changed the status on the device while connected to get it Compliant

Meraki SM detected this, and after a couple of minutes ISE performed a CoA placing the device in the correct network.

This is how it should work !!

OK. With the device Compliant, I changed the status of the device again to get the device NON Compliant again.

Meraki SM detected this and Changed the status on the dashboard to NON Compliant.

Waited longer than 5 minutes, about 15. And again, nothing is happening on ISE to check the status on the MDM Server.

So ISE is thinking the device is still Compliant.

This is not how it should work !!

Now in this mode in which the device is NON Compliant and ISE thinks it is Compliant, I performed your suggestion.

Did I disconnect and reconnect to the Wireless.

On reconnect, ISE is asking the Compliancy Status directly from the Meraki MDM Server.

An ISE states that the device is NON Compliant.

Strange behavior !!!

Best regards,

Martin

Martin,

Thanks for testing that out.  The good news is that while this isn't what you were expecting to happen, most mobile devices do not stay connect continuously.  Common mobile device usage shows individuals using their device for a while then locking it.  The device usually goes to sleep and disconnects from the network.  When it is waked by the user, it will re-authenticate.  This is when ISE would recheck for compliance in this scenario.  That being said, it still sounds to me like there is an issue with MDM polling.  If possible, would you be able to open a TAC case in the event it is a defect?

Regards,

-Tim