How to Integrate Microsoft Intune with ISE 2.1 › kxiwq67737 › attachments... · 2018-07-24 ·...
Transcript of How to Integrate Microsoft Intune with ISE 2.1 › kxiwq67737 › attachments... · 2018-07-24 ·...
ISE integration with Microsoft Intune MDM Server leverages AAD’s (Azure AD) token-based authentication to access Intune service and leverage the information to grant/deny network access to mobile devices.
Endpoint ComplianceMicrosoft Intune Mobile Device Management (MDM) Integration
Use Cases• Registration Check• Compliance Check• Periodic Polling
InternetRegister with Cisco ISE Allow Internet access
Register with MDMAllow corporate access
4
1 2
Compliant with MDM
3
+
NAD Wired or Wireless
Client Auth to NAD Radius Server = ISELink Up
Accounting Response
Accounting Response
Syslog: Accounting Start
Syslog: Accounting Update
PSN
Accounting Start
Acct Update[Framed-IP]
Intune
Cisco ISE
ISE
Session DirectoryMnT
End User
ISE Checks MDM PolicyUnregistered, Compliant and non-compliant use cases
Enforce Policy where applicable (COA etc ..)
Intune Integration Architecture
ISE authenticates to the Azure AD token issuance endpoint and requests a Customer Specific Token
The Azure AD token issuance endpoint validate request and issues the access token.
ISE uses the access token (NOT the username and password) to authenticate to Microsoft Intune authenticates to the Azure AD
Microsoft Intune responds with successful/ unsuccessful Authentication
• Customer Register’s to Azure• Integration works with oAuth 2.0• Cert’s are validated (instead of just taking the MDM Cert)• Upload ISE Cert on to Azure
Get Token
Authenticate
Azure Custom APP
Setup a Custom ISE APP on Azure
Get ISE and Azure Certificates
Upload ISE Certificate in Custom APP under Azure
Assign Permissions to ISE custom APP under Azure
Connect ISE and Azure Intune MDM
Step 1.2: Export ISE System CertificateAdministration > Certificates > System Certificates
Things to do with the ISE System Cert
• Delete the -----BEGIN CERTIFICATE-----• Delete the -----END CERTIFICATE-----
Cisco ISE
Client Machine
Get Certs
• All the text should be in single line …
Step 2: Create an ISE APP under IntuneClick on your Enterprise AD Account
Click on APPLICATIONS
ADD AN APPLICATIONS
ISE APP
https://manage.windowsazure.com/
Step 2: Create an ISE APP under IntuneName your APP
Add any valid URL(not really used for MDM)
ISE APP
Step 3.1: Upload ISE Certificate in to ISEDownload Manifest from Azure AD
{
"appId": "f7fe0922-2cf9-408b-96a2-ac6c994def1b”,"appRoles": [],"availableToOtherTenants": false,"displayName": "ISE”,"errorUrl": null,"groupMembershipClaims": null,"homepage": http://www.cisco.com,"identifierUris": ["http://www.cisco.com”
],"keyCredentials": [],"knownClientApplications": [],"logoutUrl": null,"oauth2AllowImplicitFlow": false,"oauth2AllowUrlPathMatching": false,"oauth2Permissions":
Downloaded Manifest
Upload ISE Cert
Step 3.2: Upload ISE Certificate in to ISE
Azure API Documentation for Cert Verification
{"customKeyIdentifier": null,"endDate": "2016-10-25T23:46:08Z","keyId": "9369a61a-ea9f-4b66-b381-
750029bc4fd4","startDate": "2015-10-26T23:46:08Z","type": "AsymmetricX509Cert","usage": "Verify","value": null
}
Things to do:• Use ISE Cert from Step 1.2 • Insert in the Value field with ” "
{"type": "AsymmetricX509Cert",
"usage": "Verify","value”:
"MIIDLjCCAhagAwIBAgIQVe9OCQAAAADZStmGUpIwNjANBgkqhkiG9w0BA}
Upload ISE Cert
Step 3.3: Upload ISE Certificate in to ISEThings to do:• Open the Downloaded Manifest in Step 3.1• Insert text from 3.2 to the Manifest "keyCredentials": [] field• Save file – DO NOT change Manifest file name(that’s your tanent ID)
{
"appId": "f7fe0922-2cf9-408b-96a2-ac6c994def1b”,"appRoles": [],"availableToOtherTenants": false,"displayName": "ISE”,"errorUrl": null,"groupMembershipClaims": null,"homepage": http://www.cisco.com,"identifierUris": ["http://www.cisco.com”
],"keyCredentials": [],"knownClientApplications": [],"logoutUrl": null,"oauth2AllowImplicitFlow": false,"oauth2AllowUrlPathMatching": false,"oauth2Permissions":
{
"appId": "f7fe0922-2cf9-408b-96a2-ac6c994def1b”,"appRoles": [],"availableToOtherTenants": false,"displayName": "ISE”,"errorUrl": null,"groupMembershipClaims": null,"homepage": http://www.cisco.com,"identifierUris": ["http://www.cisco.com”
],"keyCredentials": [{
"type": "AsymmetricX509Cert","usage": "Verify","value”:
"MIIDLjCCAhagAwIBAgIQVe9OCQAAAADZStmGUpIwNjANBgkqhkiG9w0BA}
],"knownClientApplications": [],"logoutUrl": null,"oauth2AllowImplicitFlow": false,"oauth2AllowUrlPathMatching": false,
Upload ISE Cert
Step 4.1: Upload modified Manifest to Azure AppThings to do:Upload Manifest in AzureVerify Success message
Upload ISE Cert
Step 5: Add Azure MDM in to ISEThings to do:Collect information to be added to ISE
Add IntuneMDM in ISE
Step 5: Upload modified Manifest to Azure App
Things to do:Under the Azure APP that you’ve created in Step 2
Prepopulated
Cisco ISE
Add IntuneMDM in ISE
Intune Integration Setup TasksStep 1: Download/export ISE PAN certificate (only one cert incase of wild card cert, both primary PAN and secondary PAN cert incase of CA signed public certificates)
Step 2: Sign up/ sign in into customer domain on the Microsoft Azure management portal.
Step 3: Create an Active Directory App (which is on cloud representation of ISE) and assign list of permissions to following app to access MS Intune service.
1. Windows Azure Active Directory
2. Microsoft Graph API
3. Microsoft Intune API
Step 4: Upload ISE (PAN wild card/ CA signed certs) Certificates, Update keyCredentials field in Manifest.xml as follows
"keyCredentials": [{"type": "AsymmetricX509Cert","usage": "Verify","value": "Base64 Encoded String of ISE PAN certificate"}
]
Intune Integration Setup Tasks .. Cont’dStep 5: Configure Intune on ISE External MDM server UI using Intune server details, client Id, token endpoint, graph api endpoint, token audience and other general details.
Step 6: ISE Generate X509 certificate and private key then convert into PKCS12 format.
Step 7: Using above cert and private key, sign the claim and request auth token from AAD.
Step 8: Cache the auth token and make sure auth token is alive.
Step 9: Refresh auth token from Azure AD right before it expires.
Step 10: Put Authorization: Bearer <jwt basedAADToken> instead of how you put today the Authorization: Username password in the request header.
End User Flow• End to End flow related to MDM Enrollment and retrieving MDM
attributes from Intune server will be similar to any other MDM Server.
• ISE will support MDM Enrollment on all the devices that are currently supported by Intune MDM server.
• Microsoft Intune would support MDM Server hostname, port and instance name auto discovery through Azure AD graph API.