cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1622
Views
0
Helpful
5
Replies

Airwatch MDM Multiple HTTP Redirects

Patrick Lloyd
Cisco Employee
Cisco Employee

Hi team,

We're seeing a weird behavior when it comes to Airwatch integration with ISE 2.0 unpatched, where a packet capture shows a redirection from a secure HTTP connection, to an insecure HTTP connection, and then back to a secure connection.  It looks as if ISE is trying to use an existing secured connection to send an insecure connection.  Including the packet capture in brief below, masked for customer anonymity.  Has anyone seen this before, is this expected behavior, and is it supported by ISE?

--2016-10-21 10:49:52--  https://cnPALLOYD.awmdm.com/ciscoise/mdminfo/

Resolving cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)... 123.30.123.110

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:443... connected.

HTTP request sent, awaiting response... 401 Unauthorized

Authentication selected: Basic realm="cnPALLOYD.awmdm.com"

Reusing existing connection to cnPALLOYD.awmdm.com:443.

HTTP request sent, awaiting response... 307 Temporary Redirect

Location: http://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/ [following]

--2016-10-21 10:49:52--  http://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: https://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/ [following]

--2016-10-21 10:49:52--  https://cnPALLOYD.awmdm.com/ciscoise/v1/ciscoise/registration/mdminfo/

Connecting to cnPALLOYD.awmdm.com (cnPALLOYD.awmdm.com)|123.30.123.110|:443... conn

5 Replies 5

howon
Cisco Employee
Cisco Employee

Can you provide nature of the issue? Which step are you seeing the traffic? Is the MDM flow failing?

We’re seeing that even a register to the Airwatch client servers from the ISE PSN results in multiple redirects, alternating between secured and unsecured HTTP. When we switched to another Airwatch deployment, it did work, and it remains secured, just wasn’t sure if this was expected or normal behavior that we’ve seen in the past.

Hi Patrick, could you pls fwd the screen shot of the MDM addition screen

The ADD MDM uses 443 for connection and it requires the AW certs to the uploaded in to ISE trusted store

Thanks

Imran.

Hi Imran,

Confirmed that the certs for the entire chain (GoDaddy) were imported, and 443 port was used. I don’t have the screen shots as this was done at a customer site last week. As soon as we changed to another Airwatch gateway, it worked, which is odd. I’ve seen a couple TAC cases which have implied that the upstream server might be at fault, and we’re waiting on Airwatch to indicate whether there’s something that needs to change on their end, i.e. server number.

arsasiku
Cisco Employee
Cisco Employee

Turns out to be the same issue with redirect.

https://cisco.jiveon.com/message/372759

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: