cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1784
Views
10
Helpful
4
Replies

MDM endpoint attributes cached in ISE for loss of connectivity?

Greg Gibbs
Cisco Employee
Cisco Employee

Hi TME team,

 

Does ISE cache endpoint attributes related to MDM checks (like MDM.DeviceRegisterStatus) in the event that the MDM server becomes unreachable? If so, how long are they cached?

I'm doing some customer testing with SCCM and ISE 2.2 p9 and getting some inconsistent behaviour, so I need to know what the expected behaviour is for this scenario?

 

Do we have any validated best practices for design or policy configuration (e.g. using the 'MDM.ServerReachable' condition match) to mitigate endpoint authZ issues in the event that connectivity is lost to the MDM server?

 

1 Accepted Solution

Accepted Solutions

Hello Greg, 

It does look like it is getting saved in Cache.  you might be hitting CSCvn70558  MDMServerReachable does not work for SCCM MDM again This issue was observed internally as well. There was a fix done for caching issue for MDM. I suggest 2 things here - 

1- Raise a TAC case so that they can suggest you the right patch 

2- Include MDMServerReachable also in your Policy. 

 

Thanks,

Nidhi

 

View solution in original post

4 Replies 4

ma.alsaffar
Level 1
Level 1
Hi,

Dont know if the following document will help or not,
but i can consider it as best practice and have all info needed for integration
https://cisco-marketing.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/71727-102-1-139077/How%20to%20Integrate%20Microsoft%20SCCM%20with%20ISE%202.1.pptx.pdf

Timothy Abbott
Cisco Employee
Cisco Employee

We have a MDM Deployment Guide that outlines best practice for integration of SCCM and ISE.  As to whether or not ISE caches MDM attributes; I don't believe it does because ISE relies on SCCM to be the single source of truth when it needs compliance information for an endpoint tied to SCCM.

 

Regards,

-Tim

Thanks Tim. That would have been my expectation as well, but that's not what I've found in my testing.

I created some Monitor Only rules to track the attributes for ServerReachable and DeviceRegister easier in the logs. I tested both before and after blocking network connectivity from the ISE nodes to the SCCM server and found the following:

Before blocking SCCM:

sccm-reachable.png

 

After blocking SCCM:

sccm-unreachable.png

 

Even more odd, if I disconnect and delete the endpoint from Context Visibility then reconnect it, the new session shows 'SCCM Reachable' even though the PSN still has no network connectivity to SCCM.

sccm-endpoint-deleted.png

 

I don't know if this has anything to do with the bug fixed in P13 around Context Visibility not updating correctly, so I may have to test again with P13 applied. If I see the same behaviour, I might have to open a TAC case.

 

@Nidhi, any input here?

Hello Greg, 

It does look like it is getting saved in Cache.  you might be hitting CSCvn70558  MDMServerReachable does not work for SCCM MDM again This issue was observed internally as well. There was a fix done for caching issue for MDM. I suggest 2 things here - 

1- Raise a TAC case so that they can suggest you the right patch 

2- Include MDMServerReachable also in your Policy. 

 

Thanks,

Nidhi