Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
3
Helpful
7
Replies

ISE 2.1+ SCCM MDM registration status to identify SOE vs. non-SOE?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-15-2017 06:38 PM

We are looking to potentially use the SCCM MDM Registration status as way to identify an SOE vs BYO machine (other methods like NAM with EAP-Chaining, EAP-TLS, etc, have all been rejected by the customer).


For a scenario in which both SOE (User or Machine auth) and non-SOE (User auth) authenticate via 802.1x:

Would it be feasible to use the 'MDM:DeviceRegistrationStatus EQUALS Registered' as condition to match to differentiate between a SOE and non-SOE machine (in a User auth state)?


We would potentially use this matching condition in AuthZ Policy, Client Provisioning Policy (AnyConnect vs. Temporal agent), and Posture Policy.


If this is feasible, can you provide more detail on how ISE would check the registration status via WMI for the machine on which the user is authenticating?

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-17-2017 05:34 PM

Yes.  This is possible. 

You have correctly identified the correct MDM/DM attribute for registration status.

As noted in separate thread, more details available in BRKSEC-3697 (Cisco Live 2017 Melbourne - reference presentation on ciscolive.com).  There are various posture options as well as profiling attributes which can be used to match on corp devices.

Craig

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎08-16-2017 07:02 AM

Hi,

Not sure what you mean by SOE.  Is this an endpoint owned by the customer's organization?  You certainly can use MDM registration status as a means to differentiate between employee owned and company owned endpoints.  Keep in mind, all company owned endpoints would need to pre-registered with the MDM.  ISE doesn't use WMI to query the endpoint for MDM registration status.  ISE has a separate connection to the MDM server and will query it during the authentication process to learn the endpoint's registration status.  Just be sure to confirm the customer's MDM solution is compatible with ISE.

Regards,

-Tim

0 Helpful

Go to solution
imbashir
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎08-16-2017 07:49 AM

Hello, just for clarity, are you using SCCM or an actualy MDM server like JAMF, MobileIron etc .. 

In regards to ISE working with SCCM (using the MDM flow), ISE uses WMI since that was the interface available when we developed ISE -> SCCM integration (Server to Server)

Thanks
Imran

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to imbashir

‎08-16-2017 02:42 PM

Hi Imran,

Yes, the question is related to using SCCM as an MDM (or Desktop Device Manager) in ISE 2.1+ (we would be testing against ISE 2.3).

What I want to confirm is if we can use this for a user-based auth flow like the following:

AuthC = 802.1x user

AuthZ = Wired 802.1x + AD Domain User + MDM:RegistrationStatus EQUALS Registered -> Result = Full Access

If so, what endpoint attribute does ISE use for the MDM Registration check?

Can it use any endpoint attribute learned from Profiling (DHCP/NMAP) such as the endpoint hostname, or is there something specific from the session?

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Greg Gibbs

‎10-16-2017 05:35 AM

I am looking to do something similar to this. This works better in a mixed environment as I am trying to pull registration status for both Windows and MAC machines from SCCM and JAMF. This way, the policies are uniform across both types of operating systems (rather than doing machine authentication for Windows alone). Would be interested to hear your experiences on this method.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Rahul Govindan

‎10-16-2017 03:12 PM

Hi Rahul,

My customer is still working on standing up a test SCCM environment, so testing on the SCCM registration option has not commenced yet. That said, it should be pretty straightforward.

We did find an issue in testing with Casper/JAMF (or AirWatch) MDM registration checks for MacBooks. For wireless, the MDM registration works as expected since the wireless MAC address is burned-in. The problem comes for wired connections. Any MacBook for the past several years does not have a built-in wired NIC and relies on a dongle (USB, mini-port, etc) for wired ethernet. These dongle MAC addresses are not captured by the MDM as endpoint attributes so, when the MAC address is used to check MDM registration status, the MDM returns a not registered status.

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Greg Gibbs

‎10-17-2017 03:58 AM

Hi,

Thanks for that valuable information. I was just about to start testing on Casper and this did not strike me as a potential problem till now. Did you figure out another way to a sort of "Machine Authorization" for MAC endpoints on the wired environment?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10

‎08-17-2017 05:34 PM

Yes.  This is possible. 

You have correctly identified the correct MDM/DM attribute for registration status.

As noted in separate thread, more details available in BRKSEC-3697 (Cisco Live 2017 Melbourne - reference presentation on ciscolive.com).  There are various posture options as well as profiling attributes which can be used to match on corp devices.

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents