Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1785
Views
10
Helpful
4
Replies

MDM endpoint attributes cached in ISE for loss of connectivity?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-14-2019 12:59 PM

Hi TME team,

 

Does ISE cache endpoint attributes related to MDM checks (like MDM.DeviceRegisterStatus) in the event that the MDM server becomes unreachable? If so, how long are they cached?

I'm doing some customer testing with SCCM and ISE 2.2 p9 and getting some inconsistent behaviour, so I need to know what the expected behaviour is for this scenario?

 

Do we have any validated best practices for design or policy configuration (e.g. using the 'MDM.ServerReachable' condition match) to mitigate endpoint authZ issues in the event that connectivity is lost to the MDM server?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-17-2019 02:31 AM

Hello Greg, 

It does look like it is getting saved in Cache.  you might be hitting CSCvn70558  MDMServerReachable does not work for SCCM MDM again This issue was observed internally as well. There was a fix done for caching issue for MDM. I suggest 2 things here - 

1- Raise a TAC case so that they can suggest you the right patch 

2- Include MDMServerReachable also in your Policy. 

 

Thanks,

Nidhi

 

View solution in original post

4 Replies 4

Go to solution
ma.alsaffar
Level 1
Level 1

‎01-14-2019 11:18 PM

Hi,

Dont know if the following document will help or not,
but i can consider it as best practice and have all info needed for integration
https://cisco-marketing.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/71727-102-1-139077/How%20to%20Integrate%20Microsoft%20SCCM%20with%20ISE%202.1.pptx.pdf
0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎01-15-2019 07:44 AM

We have a MDM Deployment Guide that outlines best practice for integration of SCCM and ISE.  As to whether or not ISE caches MDM attributes; I don't believe it does because ISE relies on SCCM to be the single source of truth when it needs compliance information for an endpoint tied to SCCM.

 

Regards,

-Tim

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎01-16-2019 02:46 PM

Thanks Tim. That would have been my expectation as well, but that's not what I've found in my testing.

I created some Monitor Only rules to track the attributes for ServerReachable and DeviceRegister easier in the logs. I tested both before and after blocking network connectivity from the ISE nodes to the SCCM server and found the following:

Before blocking SCCM:

sccm-reachable.png

 

After blocking SCCM:

sccm-unreachable.png

 

Even more odd, if I disconnect and delete the endpoint from Context Visibility then reconnect it, the new session shows 'SCCM Reachable' even though the PSN still has no network connectivity to SCCM.

sccm-endpoint-deleted.png

 

I don't know if this has anything to do with the bug fixed in P13 around Context Visibility not updating correctly, so I may have to test again with P13 applied. If I see the same behaviour, I might have to open a TAC case.

 

@Nidhi, any input here?

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-17-2019 02:31 AM

Hello Greg, 

It does look like it is getting saved in Cache.  you might be hitting CSCvn70558  MDMServerReachable does not work for SCCM MDM again This issue was observed internally as well. There was a fix done for caching issue for MDM. I suggest 2 things here - 

1- Raise a TAC case so that they can suggest you the right patch 

2- Include MDMServerReachable also in your Policy. 

 

Thanks,

Nidhi

 

Customers Also Viewed These Support Documents