… When Cisco ISE cannot talk to Intune for compliance information
Updated 1 Feb 2025 – Click here to head straight to the update.
So a long standing issue where some of our EntraID join devices are being disallowed access to the corporate wireless has been a topic of being looked at.
The Background
With the intent on securing the corporate WiFi network, we have integrated Cisco ISE with the Intune MDM via the Cisco documentation of creating an EntraID App with the correct graph permissions, importing the admin certificate from ISE into the app for client authentication and then adding the details into the MDM integrator within Cisco ISE.
Alongside this, during Autopilot provisioning, add a computer certificate with the SAN URL of the Intune device ID. Cisco ISE will use this as part of the checks for compliance to identify the device and pass that through to the Intune API for the compliance info. In addition, we deploy a wireless profile that will auto-connect so that when the device is in the users hands and they take it the office it auto-connects. One less thing for them to worry about.
What should happen
When a device attempts to connect to the corp Wifi, the AP will speak to Cisco ISE and pass the certificate. Cisco ISE will then:
- Check authentication
- Is the certificate valid?
- Does the certificate contain the correct SAN URl?
If it does, it then moves onto the next step of the policy
- Check authorisation
- Ask Intune for compliance info
- If compliant – allow connection
- if not compliant – disallow connection
So, the issue….?
With a device pre-provision and in my hands to log on as my account I finish the provision at home. The device shows as compliant in Intune. I head to the office the next day
The next day I log on as normal, but the corp wifi doesnt connect. Check with Cisco ISE logs, it believes that the device is not compliant. Lets check Intune – hmmmm its compliant.
Troubleshooting
This is where you need to enabled the Cisco ise MDM Trace logging as this will show the chatter on the Intune API to see what Cisco ISE is asking for, and what Intune is responding with.
With a session booked we have a 29mb log to review. That is one for Monday. In the meantime the team will go and log a ticket with Cisco TAC who can tell us:
- Is Cisco ISE talking to Intune
- Why is Cisco ISE not getting the right information
I’ll update the post with more information as we go through the journey (of hell) that is Cisco support 🙂
Update 1 Feb 2024
Done a few things this week on this and learnt a few things and managed to get compliance sorted.
- Each Cisco ISE device needs to have their device certificate added to the EntraID App registration. This is needed as it could be any of your Cisco ISE devices that will connect to the app registration and pull compliance information.
In our config, we have three Cisco ISE devices, but only one of them had their device certificate imported. After adding the other two device certificates we got movement. - As I understand it, the Cisco ISE boxes do not do a live lookup against Intune. What it does is to poll Intune on a defined frequency.
In our config, we had set this to the default of 240 mins (4 hours). We changed the configuration to 60 mins (1 hour).
After this the 3 devices we were having issues with were then allowed to connect as the cache had been updated
We are talking to a Cisco expert this week and i’ll update the post once again with their advice.
The next steps on our journey here is to work out on what our rules and run-books will be on how to sort the non-compliance issue and limit the time before Cisco ISE sees the updated compliance. In addition, we wil also answer the question of what Cisco ISE sees if a device is in grace… Will it show grace, compliant, non-compliant or something totally different!
Lilys Dad 
Leave a comment