cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

How to Integrate Microsoft Intune with ISE 2.1 Presentation

14507
Views
7
Helpful
7
Comments
Comments
VIP Engager

Hi

A very useful document.  I will be integrating to Intune very soon and I have a question about how to handle the importing of two PAN certs?  Your example shows just one PAN cert.  Do you know what the examples should look like with two PAN's? (pages 10 and 11 of your PDF)

Your example doesn't make it clear which PAN system cert is being exported (i.e. from which role).  e.g. if I have a cert for the Admin role only, is that the one I export to Intune?

And also, would I need to import the PKI CA chain that created that cert, into Intune as well, or not?  Or does Intune just need the ISE cert without the PKI CA cert chain?

thanks

Arne

Cisco Employee

Let me double check with some others but pretty sure you would export the admin cert from each PAN. You would also need to import the full chain into intune for that cert so it can trust it

Cisco Employee

Configuring Microsoft Intune as an MDM Server

in ISE admin guide has a power-shell script to get the base64 thumbprint.

Then, you may try the end-entity certificates of the two PANs.

"keyCredentials": [

  {

  “customKeyIdentifier“: “$base64Thumbprint_from_powerShell_for_PPAN”,

  “keyId“: “$keyid_from_above_PPAN“,

  "type": "AsymmetricX509Cert",

  "usage": "Verify",

  "value": "Base64 Encoded String of ISE PPAN cert"

  },

  {

  “customKeyIdentifier“: “$base64Thumbprint_from_powerShell_for_SPAN”,

  “keyId“: “$keyid_from_above_SPAN“,

  "type": "AsymmetricX509Cert",

  "usage": "Verify",

  "value": "Base64 Encoded String of ISE SPAN cert"

  }

]

Contributor

In the Admin guide it states that Intune MDM integration only works with Mobile Devices? Does that mean I can not pull any data about an Mac OSX Device?

Cisco Employee

This is all up to the vendor on what operating systems they support. Please consult microsoft intune documentation for this information

I have configured the Intune and Cisco ISE components successfully according to the documentation. The Cisco external MDM Test Connection, connects successfully. However when the Cisco ISE polls Intune for Device info it fails to connect with the following error: Any assistance would be greatly appreciated.

2018-10-17 16:04:31,382 ERROR  [Thread-54049][] cisco.cpm.mdm.util.MdmRESTClient -::::- Error message while connecting to MDM server :
Connection Failed to the MDM server host - fef.msua01.manage.microsoft.com, and port -  : Connection timeout occurred. Check if the MDM server is reachable : SocketTimeoutException message = Read timed out
2018-10-17 16:04:31,383 ERROR  [Thread-54049][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -::::- Exception occurred while connecting to the MDM server A connection timeout occurred. Check if the MDM server is reachable.
2018-10-17 16:04:31,383 ERROR  [Thread-54049][] cisco.cpm.mdm.api.MdmClient -::::- A connection timeout occurred. Check if the MDM server is reachable.
2018-10-17 16:04:31,383 ERROR  [Thread-54049][] cisco.cpm.mdm.scheduler.MDMHeartbeat -::::- Exception occurred in MDM Heartbeat - thrown from MDMVerifyServer connect() method - A connection timeout occurred. Check if the MDM server is reachable.

Cisco Employee

Hey jackson.norman.l@dol.gov

Make sure that all PSN certs are installed on the Azure side and that all relevant ACLs are in place allowing communication to and from Azure Intune. Also, not sure if this is version specific or not but, if there is a "reply URL" section, make sure the PSNs are configure there as well.