02-04-2016 09:35 AM
Hi experts,
I have a Use Case for ISE 2.0 and MDM integration. The customer wants to allow BYOD devices (PEAPMSCHAP) and also MDM managed devices (PeapMschap)
How can we avoid the BYOD devices to hit the MDM query rule the first time? And at the same time provide a smooth authentication process. (avoiding redirection portals to register the device).
Example:
If a BYOD devices connects, the MDM registration will be equals “Unregistered”. Hence, it will get stuck in that policy to query the MDM.
Any ideas are very welcome.
Regards,
Solved! Go to Solution.
02-05-2016 08:44 AM
With Multi-MDM functionality introduced in 1.4, it is not possible to check MDM status unless ISE "knows" which MDM server the endpoint is registered with. MDM Redirection is how ISE learns that an endpoint needs to be checked against the MDM server. Once this redirection occurs and ISE successfully looks up the endpoint in MDM, it will record the MDM name for that endpoint and no more redirections will be needed.
02-04-2016 09:43 AM
Jose, if you want to differentiated policy on the same SSID then you will need something else to differentiate those two device use cases. You mentioned PEAP/MSCHAPv2, so if the users are different then you can use user groups to provide BYOD vs. MDM policies. If you know the MAC addressed of MDM device groups then you could create a special MAB group to provide MDM device to go through the MDM policy which non MDM device is exempted from the flow. There may be other differentiators, but these are few options based on your posting.
Hosuk
02-04-2016 09:59 AM
Thanks Hosuk,
Just like you mentioned, I was thinking in propose them to export the current MAC address list from their MDM. The only con is that they will now need to update the list in two places (MDM and ISE).
On the other hand, I guess having different AD groups will cause MDM users to not connect using their personal (non mdm) devices (?).
Thanks for you help
02-04-2016 12:43 PM
Are both devices in the MDM?
Which MDM are they using?
If it is a supported MDM you can integrate it with ISE. You will have to create a redirect that will redirect the devices to the MDM server the first time they connect, even if they are already registered with MDM. This allows the ISE server to verify that the Device is part of MDM and any other MDM attributes you want to check for.
02-05-2016 07:27 AM
Thanks Cory,
The MDM is Airwatch and no, both devices are not in MDM and that's exactly the problem; to avoid the non-MDM devices to hit the redirection policy.
I will ask the customer if he's OK by importing the MAC address list into ISE.
Thanks for your comments.
02-05-2016 07:57 AM
One potential option is to format the username in a different way depending whether the device is MDM or not. In Airwatch, you can prepopulate the username field with user's UPN like shown on the screenshot below. If a users manually connect, they would use shortname or domain\username format. In the AuthZ policy, you could look for @domainname in RADIUS:Username to identify connections provisioned with MDM. Of course, nothing will stop the user from entering UPN manually, but they maybe less likely to do that if they're used to a short name.
Thanks
02-05-2016 08:09 AM
I would like to see the ability to just check MDM registration status without needing to be redirected.
If the Device is register do one thing, if not continue to the next rule.
02-05-2016 08:44 AM
With Multi-MDM functionality introduced in 1.4, it is not possible to check MDM status unless ISE "knows" which MDM server the endpoint is registered with. MDM Redirection is how ISE learns that an endpoint needs to be checked against the MDM server. Once this redirection occurs and ISE successfully looks up the endpoint in MDM, it will record the MDM name for that endpoint and no more redirections will be needed.
02-05-2016 09:07 AM
This enhancement is filed to improve this behaviour: https://tools.cisco.com/bugsearch/bug/CSCuv68500/?referring_site=ss
02-05-2016 09:17 AM
Thank You Viktor, That is what I was looking for. I ran in to this recently with a customer, they only want to grant access based on MDM enrollment, but not force MDM enrollment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide