Introduction

Intune integrates with network access control partners to help organizations secure corporate data when devices try to access on-premises resources.

Example

If the device is enrolled and compliant with Intune, the NAC solution should allow the device access to corporate resources. For example, users can be allowed or denied access when trying to access corporate Wi-Fi or VPN resources.

Feature behaviors

Devices that are actively syncing to Intune cannot move from Compliant / Noncompliant to Not Synched (or Unknown). The Unknown state is reserved for newly enrolled devices that have not yet been evaluated for compliance.

How the NAC integration works

Here’s an overview on how the NAC integration works when integrated with Intune. The first three steps, 1-3, explain the onboarding process. Once the NAC solution is integrated with Intune, steps 4-9 describe the on-going operation.

1. Register the NAC partner solution with Azure Active Directory (AAD) and grant delegated permissions to the Intune NAC API.
2. Configure the NAC partner solution with the appropriate settings including the Intune discovery URL.
3. Configure the NAC partner solution for certificate authentication.
4. User connects to corporate Wi-Fi access point or makes a VPN connection request.
5. NAC partner solution forwards the device information to Intune and asks Intune about the device enrollment and compliance state.
6. If the device is not compliant or not enrolled, the NAC partner solution instructs the user to enroll or fix the device compliance.
7. The device attempts to re verify its compliance and/or the enrollment state.
8. Once the device is enrolled and compliant, NAC partner solution gets the state from Intune.
9. Connection is successfully established which allows the device access to corporate resources.

Microsoft Intune Integration with Cisco ISE

Cisco ISE (NAC) integration with Microsoft Intune MDM Services leverages AAD’s (Azure AD) token-based authentication to access Intune services and leverage the information to grant/deny network access to mobile devices

Step 1: Configuring Microsoft Intune as an MDM server for ISE

Use the following steps to configure ISE's connection to Azure and Azure's connection to ISE.

1. Get the public certificate from the Intune/Azure Active Directory tenant and import it into ISE to support SSL handshake.
   1. Log on to the Intune Admin Console or Azure Admin console, whichever site has your tenant.
   2. Use the browser to get the certificate details. For, example, with Internet Explorer:
      1. Click on the lock symbol in the browser toolbar, then click View Certificates.

2. In the Certificate window, select the tab Certification Path.

3. Find Baltimore Cyber Trust root on local machine certificate store, and export the root cert.

On Cisco ISE, choose Administration > System > Certificates > Trusted Certificates, and import the root certificate that you just saved. Give the certificate a meaningful name, such as Azure MDM.

Step 2: Export the ISE system certificate and prepare it for Intune/Azure

1. In the ISE console, go to Administration > System > Certificates > System Certificates, select the Default self-signed server certificate, and click Export.
2. Select Export Certificate Only (default) and select a place to save it.
3. Choose Add an application my organization is developing
4. Run the following PowerShell script on the exported certificate file:
   

   $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cer.Import(“mycer.cer”) $bin = $cer.GetRawCertData() $base64Value = [System.Convert]::ToBase64String($bin) $bin = $cer.GetCertHash() $base64Thumbprint = [System.Convert]::ToBase64String($bin)   $keyid = [System.Guid]::NewGuid().ToString()

   Once script runs, it stores the value in variables. Type the variable name on PowerShell prompt and retrieve the values (please see the below demo screen)

   $base64Value

   $base64Thumbprint

   $keyidDemo:

1. Keep the values for $base64Thumbprint, $base64Value and $keyid, which will be used in the next step.
   

   Step 3: Create an ISE App in Intune/Azure Tenant

   1. Choose 'Add an application my organization is developing' from Azure Active Directory | Enterprise Application - All Applications | Categories | Add an Application

2. Select New application registration

3.   Fill the App properties information

Enter Name: CiscoISE (It can be any name, i have used CiscoISE)

Application type: Web app/API

Sign-on URL: <CiscoISE<MicrosoftTenant>.onmicrosoft.com

NOTE:

1. SIGN-ON URL. The URL where users can sign in and use your app. You can change this later as needed.
2. APP ID URI. The URI used as a unique logical identifier for your app. The URI must be in a verified custom domain for an external user to grant your app access to their data in Windows Azure AD. For example, if your Microsoft tenant is contoso.onmicrosoft.com, the APP ID URI could be https://app.contoso.onmicrosoft.com

4. Click Create to create new CiscoISE Application

5. Select ‘All Applications’ and ‘All Apps’ to list the new Web API created.

 Step 4: Get the manifest file from Azure, add the ISE certificate information, and Upload the updated manifest    into Azure

1. Download the manifest file from Azure (for ISE App created in Step 3)
   1. Click on manifest
   2. click download to download the manifest file.

3. Download and save the file locally ad 'CiscoISE.jason' . NOTE: Please don't change the file name.

4. Once file is open (need to have json editor),

5. Update the keyCredentials field in manifest json file as below:

Replace Base64 Encoded String of ISE PAN Cert with the exported, edited, certificate file from ISE, which is he $base64Value from the PowerShell Script (Refer Step 2)

Replace “Keyid” with Keyid value from PowerShell Script (Refer Step 2)

Replace “CustomeKeyIdentifier” value from the PowerShell script (Refer Step 2)

Sample:

NOTE: Do NOT CHANGE THE NAME OF THE MANIFEST File

Extra Reference: https://msdn.microsoft.com/library/azure/ad/graph/api/entity-and-complex-type-reference#keycredential-type

6. Save the file – Do Not change manifest name

7. Upload the modified Json file to Azure App manifest

Step 5: Getting Values of endpoints attributes from Azure Portal

1. Navigate to App registrations > Endpoints

2. Make Note of below values:

• MICROSOFT AZURE AD GRAPH API ENDPOINT
• OAUTH 2.0 TOKEN ENDPOINT
• APPLICATION ID or CLIENT ID

These 3 values will be used in next step.

Step 6: Add Graph API and Intune API to application with permissions and delegations

Settings for Application permissions and Delegated Permissions:

To configure above settings, Select CiscoISE Registered App again

Go to Settings | Required Permissions | Add

From the Listed APIs, Select ‘Microsoft Graph’

Click on Select permissions and select ‘APPLICATION PERMISSIONS’ and ‘DELEGATED PERMISSIONS’ as below:

APPLICATIONS PERMISSIONS:

• Read Directory data

DELEGATED PERMISSIONS:

• Read and write Microsoft Intune Device Configuration and Policies
• Read Microsoft Intune Configuration
• Sign users in
• Access users’s data anytime

Again Click on Add | Select an API as ‘Microsoft Intune API’ from the listed APIs

Click on Select permissions and select ‘APPLICATION PERMISSIONS’ and ‘DELEGATED PERMISSIONS’ as below:

APPLICATION PERMISSIONS:

• Get device state and compliance information from Microsoft Intune

Again Click on Add | Select an API as ‘Windows Azure Active Directory’ from the listed APIs

Click on Select permissions and select ‘APPLICATION PERMISSIONS’ and ‘DELEGATED PERMISSIONS’ as below:

APPLICATION PERMISSIONS:

• Read directory data

DELEGATED PERMISSIONS:

• Read directory data
• Sign in and read user profile

Final Required Permissions:

Once permissions are selected, click on ‘Grant Permissions’ and Click 'Yes'

7.  In ISE, configure the Intune server in ISE

For more information about configuring and external MDM server, see Define Mobile Device Management Servers in ISE. The fields that are important for Intune are described below:

• Auto Discovery URL - Enter the value of Microsoft Azure AD Graph API Endpoint from the Microsoft Azure management portal. This the endpoint at which an application can access directory data in your Microsoft Azure AD directory using the Graph API. The URL is of the form: https://<hostname>/<tenant id>, for example, https://graph.ppe.windows.net/47f09275-5bc0-4807-8aae-f35cb0341329. An expanded version of this URL is also in the property file, which is of the form:

• Client ID - The unique identifier for your application. Use this if your application accesses data in another application, such as the Microsoft Azure AD Graph API, Microsoft Intune API, and so on.

• Token Issuing URL - Enter the value of the Oauth2.0 Authorization Endpoint from the previous step. This is the endpoint at which your app can obtain an access token using OAuth2.0. After your app is authenticated, Microsoft Azure AD issues your app (ISE) an access token, which allows your app to call the Graph API/ Intune API.

• Token Audience* - The recipient resource that the token is intended for, which is a public, well-known APP ID URL to the Microsoft Intune API.

Value Mapping between Intune and in ISE settings: