将 Cisco ISE 与 Microsoft Intune 配合使用Using Cisco ISE with Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

将 Intune 与 Cisco 身份服务引擎 (ISE) 集成使你能够使用 Intune 设备注册和合规性状态在 ISE 环境中编写网络策略。Intune integration with Cisco Identity Services Engine (ISE) allows you to author network policies in your ISE environment by using the Intune device-enrollment and compliance state. 你可使用这些策略确保对公司网络的访问权限仅限于由 Intune 托管并符合 Intune 策略的设备。You can use these policies to ensure that access to your company network is restricted to devices that are managed by Intune and compliant with Intune policies.

配置步骤Configuration steps

你无需在 Intune 租户中进行任何设置即可启用此集成。To enable this integration, you don’t need to do any setup in your Intune tenant. 你需要为 Cisco ISE 服务器提供访问你的 Intune 租户的权限。You will need to provide permissions to your Cisco ISE server to access your Intune tenant. 完成此操作后,设置的剩余步骤将在你的 Cisco ISE 服务器中进行。After that's done, the rest of the setup happens in your Cisco ISE server. 本文提供有关为 ISE 服务器提供对 Intune 租户的访问权限的说明。This article gives you instructions on providing your ISE server with permissions to access your Intune tenant.

步骤 1:管理证书Step 1: Manage the certificates

从 Azure Active Directory (Azure AD) 控制台导出证书,然后将其导入 ISE 控制台的受信任证书存储:Export the certificate from the Azure Active Directory (Azure AD) console, then import it into the Trusted Certificates store of the ISE console:

Internet Explorer 11Internet Explorer 11

a.a. 以管理员身份运行 Internet Explorer 并登录到 Azure AD 控制台。Run Internet Explorer as an administrator, and sign in to the Azure AD console.

b。b. 在地址栏中选择锁定图标,然后选择“查看证书”。Choose the lock icon in the address bar and choose View certificates.

c.c. 在证书属性的“详细信息”选项卡上,选择“复制到文件”。On the Details tab of the certificate properties, choose Copy to file.

d.d. 在“证书导出向导”欢迎页上,选择“下一步”。In the Certificate export wizard welcome page, choose Next.

e.e. 在“导出文件格式”页上,保留默认值“DER 二进制编码 x.509 (.CER)”,然后选择“下一步”。On the Export file format page, leave the default, DER encoded binary x.509 (.CER), and choose Next.

f.f. 在“要导出的文件”页上,选择“浏览”以选取要在其中保存文件的位置,并提供文件名。On the File to export page, choose Browse to pick a location in which to save the file, and provide a file name. 尽管看起来似乎是你在选择要导出的文件,但实际上是在为导出的证书将要保存到的文件命名。Though it seems like you’re picking a file to export, you’re actually naming the file that the exported certificate will be saved to. 选择“下一步”>“完成”。Choose Next > Finish.

g.g. 从 ISE 控制台范围中,将 Intune 证书(你导出的文件)导入到“受信任的证书”存储中。From within the ISE console, import the Intune certificate (the file you exported) into the Trusted Certificates store.

SafariSafari

a.a. 登录 Azure AD 控制台。Sign in to the Azure AD console.

b。b. 选择锁定图标>“详细信息”。Choose the lock icon > More information.

c.c. 选择“查看证书”>“详细信息”。Choose View certificate > Details.

d.d. 选择证书,然后选择“导出”。Choose the certificate, and then choose Export.

e.e. 从 ISE 控制台范围中,将 Intune 证书(你导出的文件)导入到“受信任的证书”存储中。From within the ISE console, import the Intune certificate (the file you exported) into the Trusted Certificates store.

重要

请检查该证书的到期日期,因为当它过期时,将必须导出该证书并导入新证书。Check the expiration date of the certificate, as you will have to export and import a new certificate when this one expires.

从 ISE 中获取自签名证书Obtain a self-signed cert from ISE

  1. 在 ISE 控制台中,转到“管理” > “证书” > “系统证书” > “生成自签名证书”。In the ISE console, go to Administration > Certificates > System Certificates > Generate Self Signed Certificate.
  2. 导出自签名证书。Export the self-signed certificate.
  3. 在文本编辑器中,编辑导出的证书:In a text editor, edit the exported certificate:

    • 删除 -----BEGIN CERTIFICATE-----Delete -----BEGIN CERTIFICATE-----
    • 删除 -----END CERTIFICATE-----Delete -----END CERTIFICATE-----

确保所有文本都只占一行Ensure all of the text is a single line

步骤 2:在 Azure AD 租户中创建用于 ISE 的应用Step 2: Create an app for ISE in your Azure AD tenant

  1. 在 Azure AD 控制台中,选择“应用程序” > “添加应用程序” > “添加我的组织正在开发的应用程序”。In the Azure AD console, choose Applications > Add an Application > Add an application my organization is developing.
  2. 提供应用的名称和 URL。Provide a name and a URL for the app. URL 可以是你的公司网站。The URL could be your company website.
  3. 下载应用清单(JSON 文件)。Download the app manifest (a JSON file).
  4. 编辑清单 JSON 文件。Edit the manifest JSON file. 在名为“keyCredentials”的设置中,提供步骤 1 中经过编辑的证书文本作为设置值。In the setting called keyCredentials, provide the edited certificate text from Step 1 as the setting value.
  5. 保存该文件,但不更改其名称。Save the file without changing its name.
  6. 为你的应用提供针对 Microsoft Graph 和 Microsoft Intune API 的权限。Provide your app with permissions to Microsoft Graph and the Microsoft Intune API.

    a.a. 对于 Microsoft Graph,选择以下各项:For Microsoft Graph, choose the following:

    • 应用程序权限:读取目录数据Application permissions: Read directory data
    • 委托的权限Delegated permissions:
      • 随时访问用户的数据Access user’s data anytime
      • 让用户登录Sign users in

    b。b. 对于 Microsoft Intune API,在“应用程序权限”中,选择“从 Intune 获取设备状态和合规性”。For the Microsoft Intune API, in Application permissions, choose Get device state and compliance from Intune.

  7. 选择“查看终结点”,并复制以下值以便在配置 ISE 设置时使用:Choose View Endpoints and copy the following values for use in configuring ISE settings:

Azure AD 门户中的值Value in Azure AD portal ISE 门户中的对应字段Corresponding field in ISE portal
Microsoft Azure AD Graph API 终结点Microsoft Azure AD Graph API endpoint 自动发现 URLAuto Discovery URL
Oauth 2.0 令牌终结点Oauth 2.0 Token endpoint 令牌颁发 URLToken Issuing URL
使用你的客户端 ID 更新你的代码Update your code with your Client ID 客户端 IDClient ID

步骤 4:将自签名证书从 ISE 上传到在 Azure AD 中创建的 ISE 应用Step 4: Upload the self-signed certificate from ISE into the ISE app you created in Azure AD

  1. 获取 .cer X509 公用证书文件中的 base64 编码证书值和指纹。Get the base64 encoded cert value and thumbprint from a .cer X509 public cert file. 此示例使用 PowerShell:This example uses PowerShell:
  <span data-ttu-id="5ba8f-178">$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2    $cer.Import(“mycer.cer”)    $bin = $cer.GetRawCertData()    $base64Value = [System.Convert]::ToBase64String($bin)    $bin = $cer.GetCertHash()    $base64Thumbprint = [System.Convert]::ToBase64String($bin)    $keyid = [System.Guid]::NewGuid().ToString()</span><span class="sxs-lookup"><span data-stu-id="5ba8f-178">$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2    $cer.Import(“mycer.cer”)    $bin = $cer.GetRawCertData()    $base64Value = [System.Convert]::ToBase64String($bin)    $bin = $cer.GetCertHash()    $base64Thumbprint = [System.Convert]::ToBase64String($bin)    $keyid = [System.Guid]::NewGuid().ToString()</span></span>

<span data-ttu-id="5ba8f-179">存储 $base64Thumbprint、$base64Value 和 $keyid 值,在下一步中使用。</span><span class="sxs-lookup"><span data-stu-id="5ba8f-179">Store the values for $base64Thumbprint, $base64Value and $keyid, to be used in the next step.</span></span>
  1. 通过清单文件上传证书。Upload the certificate through the manifest file. 登录到 Azure 管理门户Log in to the Azure Management Portal
  2. 在 Azure AD 管理单元中,找出想要配置 X.509 证书的应用程序。In to the Azure AD snap-in find the application that you want to configure with an X.509 certificate.
  3. 下载应用程序清单文件。Download the application manifest file.
  4. 使用以下 JSON 替换空的“KeyCredentials”: [] 属性。Replace the empty “KeyCredentials”: [], property with the following JSON. 实体和复杂类型参考中描述了 KeyCredentials 的复杂类型。The KeyCredentials complex type is documented inEntity and complex type reference.
<span data-ttu-id="5ba8f-186">“keyCredentials“: [ { “customKeyIdentifier“: “$base64Thumbprint_from_above”, “keyId“: “$keyid_from_above“, “type”: “AsymmetricX509Cert”, “usage”: “Verify”, “value”:  “$base64Value_from_above” }2.</span><span class="sxs-lookup"><span data-stu-id="5ba8f-186">“keyCredentials“: [ { “customKeyIdentifier“: “$base64Thumbprint_from_above”, “keyId“: “$keyid_from_above“, “type”: “AsymmetricX509Cert”, “usage”: “Verify”, “value”:  “$base64Value_from_above” }2.</span></span> 
 <span data-ttu-id="5ba8f-187">],</span><span class="sxs-lookup"><span data-stu-id="5ba8f-187">],</span></span> 

例如:For example:

“keyCredentials“: [
{
“customKeyIdentifier“: “ieF43L8nkyw/PEHjWvj+PkWebXk=”,
“keyId“: “2d6d849e-3e9e-46cd-b5ed-0f9e30d078cc”,
“type”: “AsymmetricX509Cert”,
“usage”: “Verify”,
“value”: “MIICWjCCAgSgAwIBA***omitted for brevity***qoD4dmgJqZmXDfFyQ”
}
],
  1. 保存更改到应用程序清单文件。Save the change to the application manifest file.
  2. 通过 Azure 管理门户上传已编辑应用程序清单文件。Upload the edited application manifest file through the Azure management mortal.
  3. 可选:再次下载清单文件,检查应用程序上是否存在 X.509 证书。Optional: Download the manifest again, to check that your X.509 cert is present on the application.

备注

KeyCredentials 证书是一个集合,因此可上传多个 X.509 证书以适应变更方案,或在泄露方案中删除证书。KeyCredentials is a collection, so you can upload multiple X.509 certificates for rollover scenarios, or delete certficates in compromise scenarios.

步骤 4:配置 ISE 设置Step 4: Configure ISE Settings

在 ISE 管理控制台中,提供以下设置值:In the ISE admin console, provide these setting values:

  • “服务器类型”:移动设备管理器Server Type: Mobile Device Manager
  • “身份验证类型”:OAuth – 客户端凭据Authentication type: OAuth – Client Credentials
  • “自动发现”:是Auto Discovery: Yes
  • 自动发现 URL输入步骤 1 中的值。Auto Discover URL: Enter the value from Step 1.
  • 客户端 ID输入步骤 1 中的值。Client ID: Enter the value from Step 1.
  • 令牌颁发 URL输入步骤 1 中的值。Token issuing URL: Enter the value from Step 1.

Intune 租户和 Cisco ISE 服务器之间共享的信息Information shared between your Intune tenant and your Cisco ISE server

此表列出了你的 Intune 租户和用于由 Intune 托管的设备的 Cisco ISE 服务器之间共享的信息。This table lists the information that is shared between your Intune tenant and your Cisco ISE server for devices that are managed by Intune.

属性Property 描述Description
complianceStatecomplianceState 指示设备是否合规的 true 或 false 字符串。The true or false string that indicates whether the device is compliant or noncompliant.
isManagedisManaged 指示客户端是否由 Intune 托管的 true 或 false 字符串。The true or false string that indicates whether the client is managed by Intune or not.
macAddressmacAddress 设备的 MAC 地址。The MAC address of the device.
serialNumberserialNumber 设备的序列号。The serial number of the device. 仅适用于 iOS 设备。It applies only to iOS devices.
imeiimei IMEI(15 个十进制数字:14 个数字加上 1 个校验数字)或 IMEISV(16 个数字)编号包含有关设备的来源、型号和序列号的信息。The IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) number includes information on the origin, model, and serial number of the device. 3GPP TS 23.003 中指定了此编号的结构。The structure of this number is specified in 3GPP TS 23.003. 仅适用于有 SIM 卡的设备。It applies only to devices with SIM cards.
udidudid 唯一的设备标识符,这是一个包含 40 个字母和数字的序列。The Unique Device Identifier, which is a sequence of 40 letters and numbers. 它特定于 iOS 设备。It is specific to iOS devices.
meidmeid 移动设备标识符,是用于标识 CDMA 移动台设备的物理组成部分的全球唯一编号。The mobile equipment identifier, which is a globally unique number that identifies a physical piece of CDMA mobile station equipment. 3GPP2 report S. R0048 定义此编号的格式。The number format is defined by the 3GPP2 report S. R0048. 但实际上,可将它视为十六进制数字的 IMEI。However, in practical terms, it can be seen as an IMEI, but with hexadecimal digits. MEID 的长度为 56 位(14 个十六进制数字)。An MEID is 56 bits long (14 hex digits). 它由三个字段组成,包括一个 8 位区域代码 (RR)、一个 24 位制造商代码和一个 24 位制造商分配的序列号。It consists of three fields, including an 8-bit regional code (RR), a 24-bit manufacturer code, and a 24-bit manufacturer-assigned serial number.
osVersionosVersion 设备的操作系统版本。The operating system version for the device.
modelmodel 设备型号。The device model.
制造商manufacturer 设备制造商。The device manufacturer.
azureDeviceIdazureDeviceId 工作区加入 Azure AD 后的设备 ID。The device ID after it has workplace joined with Azure AD. 对于未加入的设备,它为空 GUID。It is an empty GUID for devices that are not joined.
lastContactTimeUtclastContactTimeUtc 设备上次签入到 Intune 管理服务时的日期和时间。The date and time when the device last checked in with the Intune management service.

用户体验User experience

当用户尝试使用未注册的设备访问资源时,会收到注册提示,如下所示:When a user attempts to access resources by using an unenrolled device, they receive a prompt to enroll, such as the one shown here:

注册提示示例

当用户选择注册时,将被重定向到 Intune 注册过程。When a user chooses to enroll, they are redirected to the Intune enrollment process. 以下主题中描述了 Intune 的用户注册体验:The user enrollment experience for Intune is described in these topics:

此外,还可以使用 downloadable set of enrollment instructions(注册说明的可下载集)来为你的用户体验创建自定义指导。There is also a downloadable set of enrollment instructions that you can use to create customized guidance for your user experience.

另请参阅See also

Cisco Identity Services Engine Administrator Guide, Release 2.1(Cisco 标识服务引擎管理员指南,版本 2.1)Cisco Identity Services Engine Administrator Guide, Release 2.1