topic Re: ISE in Network Access Control

ISE & Jamf

Jason Weids — Fri, 21 Feb 2020 19:04:20 GMT

We are trying a PoC to integrate Cisco ISE with Jamf Pro.

We have communication with the Jamf Pro server, have developed the authorization profile for unregistered & registered devices & can see that devices are getting the right policy but in the case of unregistered devices the redirect is not working.

Can anyone see what is missing?

Auth Profile

Auth Policy

Jamf Network Integration

WLC ACL

Re: ISE & Jamf

Timothy Abbott — Tue, 02 Apr 2019 16:53:09 GMT

The usual cause is the ACL on the controller isn't configured correctly. Without seeing the endpoint behavior it is hard to tell for sure. Is the URL showing up in the mobile device's browser?

Regards,
-Tim

Re: ISE & Jamf

Jason Weids — Wed, 03 Apr 2019 06:37:06 GMT

If you mean the enrol URL then no, it is also possible to browse to any web pages. The ACL I took from the Cisco documentation.

Re: ISE & Jamf

Jason Weids — Fri, 05 Apr 2019 12:15:18 GMT

Is there anyone who can provide some insight on this?

Re: ISE & Jamf

paul — Fri, 05 Apr 2019 13:26:37 GMT

I usually push back on doing MDM enrollment via ISE, but a few thoughts come to mind:

If you are using FlexConnect it is a completely different ACL and process to push that ACL out to the APs.
I doubt there is any explicit proxy in play but that would cause an issue.
Have you confirmed the redirect is getting applied on to the client session? Showing a screen shot of what ISE is sending doesn't really help. You should be looking at the client details on the WLC.
If you don't see the redirect condition on the WLC client side do you have the WLC properly configured for NAC on the advanced tab?

Re: ISE & Jamf

Jason Weids — Fri, 05 Apr 2019 14:51:31 GMT

Thanks for your reply.

Yes the client seems to be getting the ACL applied from the WLC but the URL doesn't look right it should be the FQDN/enrol

It looks like the URL its getting ISE in the auth profile.

Re: ISE & Jamf

paul — Fri, 05 Apr 2019 14:53:54 GMT

The client is not FlexConnect? You didn't show the top part of the client details so I couldn't tell if the client was local or flex.

Re: ISE & Jamf

Jason Weids — Fri, 05 Apr 2019 14:54:40 GMT

Its not flexconnect no.

Re: ISE & Jamf

paul — Fri, 05 Apr 2019 14:56:14 GMT

Nevermind, I see hits on your ACL so I assumed the client must be local mode and not FlexConnect. Your ACL looks to only be redirecting traffic to internal web sites. You are testing by going to internal web sites?

Re: ISE & Jamf

Jason Weids — Fri, 05 Apr 2019 14:58:45 GMT

No the website is hosted by Jamf but uses our domain name.

Re: ISE

paul — Fri, 05 Apr 2019 15:33:33 GMT

No that is not what I meant. In order to get redirected you need to hit one of your ACL deny lines. The only IPs you are redirecting is to internal IPs. If the user is not surfing to an internal web site they are not going to get redirected to the provisioning web site. I have a feeling you are surfing to Internet sites and think the setup is not working.

Re: ISE

Jason Weids — Fri, 05 Apr 2019 15:38:59 GMT

Ah I see, you could be correct. I took the ACL configuration from Cisco documentation but didn't understand why the first line allows everything out.

How would you suggest the ACL be changed?

Re: ISE

Jason Weids — Fri, 05 Apr 2019 15:57:28 GMT

Yes your right. I have tried going to an internal page from the client & I hit rule 8 & I'm redirected but the page fails to load.

The full URL looks like this & fails.

https://myapple.bathspa.ac.uk:8443/mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483

I can get to https://myapple.bathspa.ac.uk/enrol from the client though.

Re: ISE

paul — Fri, 05 Apr 2019 16:13:33 GMT

What are you trying to redirect? The first line is correct. We only care about the incoming traffic. If you are trying to redirect any web traffic then you would change the bottom rule to a deny.

Re: ISE

paul — Fri, 05 Apr 2019 16:46:33 GMT

It looks like you are incorrectly putting the FQDN of myapple.bathspa.ac.uk in your redirect profile. You need to bring the traffic to ISE first and make sure your redirect ACL allows traffic to your ISE nodes. The URL you are seeing is the ISE MDM portal:

mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483

Re: ISE

Jason Weids — Mon, 08 Apr 2019 08:26:03 GMT

Thanks Paul,

I'm almost there.

I removed the tick in the profile that was inserting the wrong URL.

The redirect is now going to the ISE MDM portal.

After accepting the the Ts & Cs & clicking on enrol it then goes to the Jamf enrolment page which is exactly what we want.

This was only when going to an internal page though. It is not redirecting when going to the internet so there is something not right with my ACL.