topic Re: On-prem MDM with unknown MAC Address in Network Access Control

On-prem MDM with unknown MAC Address

chbuey — Fri, 20 Oct 2017 19:18:21 GMT

Hey All,

I wanted to get some feedback on what's beginning to be a more common scenario, especially with the new release of MacBooks requiring the use of dongles exclusively for wired networks.

Consider this scenario:

New MacBook with only Wifi registers against an MDM server. The MDM server records the MAC address, the serial number, version, etc.
Users takes endpoint to work, performs a wireless authentication, and since the Wifi mac is stored in the MDM server ISE can look up the endpoint and user gets full network access.
User transitions to ethernet, but this requires a dongle. ISE attempts to do the lookup, but since the endpoint was registered without the dongle present, MDM cannot locate this specific endpoint and the endpoints registration/compliance statuses cannot be pulled.

At this point, everything appears to be functioning as expected, but there has to be a better solution than forcing endpoints to re-enroll with MDM while their specific dongle is plugged in. Is there a solution or talks in progress to address this specific use cases with Apple (or any) endpoints that require dongles for network access?

I remember facing a similar issue with VPN authentications when Apple/Google started hiding/randomizing the mac address, and as a result we now the queries with the UDID. But since these are on-prem authentications failing, it's impossible to pull these extra values from a dot1x/mab authentication.

Thanks!

Chad

Re: On-prem MDM with unknown MAC Address

Nidhi — Sat, 21 Oct 2017 16:03:19 GMT

Hello Chad,

I will be researching on this. Will reply back on this post soon .

Thanks,

Nidhi

Re: On-prem MDM with unknown MAC Address

Network Engineering — Sat, 21 Oct 2017 17:30:23 GMT

I am running into the exact same issue with my deployment. Macbooks + tunderbolt dongle results in a failed MDM lookup everytime. We just gave up on wired MDM enforcement. Pretty sad this was overlooked on the design side.

Re: On-prem MDM with unknown MAC Address

pkinjaram — Tue, 24 Oct 2017 15:22:13 GMT

What kind of mac management software are you using in your environment?

Re: On-prem MDM with unknown MAC Address

pkinjaram — Tue, 24 Oct 2017 15:25:07 GMT

Any update on this?

Re: On-prem MDM with unknown MAC Address

Network Engineering — Tue, 24 Oct 2017 16:27:57 GMT

I'm using Casper Suite (JAMF). I suspect the original poster is as well as it's the most common Mac management software.

Re: On-prem MDM with unknown MAC Address

pkinjaram — Tue, 24 Oct 2017 18:03:01 GMT

We are using Casper as well, Chad from Cisco opened the case based on the TAC case we've opened.

JAMF suggesting us to install Any connect ISE compliance module to resolve the wired deployment issue. Looking further into it.

Re: On-prem MDM with unknown MAC Address

Network Engineering — Tue, 24 Oct 2017 18:45:21 GMT

We have the ise-compliance module installed as that is required for posture which is also required in our environment. The issue we have is not with posture, it's with MDM registration enforcement. We enforce MDM registration with JAMF for Macbooks on our network. The way MDM registration enforcement works between ISE and JAMF is that ISE will query JAMF via its API integration for the MAC address of the connecting endpoint. Modern macbooks don't have wired ports thus every Macbook uses a dongle of some sort to connect. The Macbook dongles do not exist in MDM resulting in the MDM returning not-registered for the device.

Our users are highly mobile and do not have static desks or static dongles. We've had to disable MDM registration enforcement for wired.

Re: On-prem MDM with unknown MAC Address

Jason Kunst — Tue, 24 Oct 2017 19:01:54 GMT

They don’t even use the same dongle everytime?

Is there a way to pre-register the dongles to the user in JAMF?

Re: On-prem MDM with unknown MAC Address

Dustin Anderson — Tue, 24 Oct 2017 19:27:26 GMT

We ran into a similar issue today, but I don't think it's an ISE issue as ISE just asks JAMF if this MAC is compliant and get a compliant, non-compliant, or unknown device response. It seems to be JAMF and having multiple MAC's for a device. The one I saw was a mac, dongle, and dock, so 3 MACs

Re: On-prem MDM with unknown MAC Address

Network Engineering — Tue, 24 Oct 2017 20:00:38 GMT

Our desks are not permanent desks assigned to users so users float between desks all the time. The desks themselves have either dongles, or docks. So, multiple users could use the same dongle or doc throughout the week. It would be nice if the JAMF query was always done with the WiFi MAC as that is the only consistent MAC address on most Macbooks now since they lack wired ports.

Re: On-prem MDM with unknown MAC Address

Dustin Anderson — Tue, 24 Oct 2017 20:43:57 GMT

I could see that if you are running some kind of agent, but if not, you can only get the MAC on the network.

Personally, I want them to start using domain certs so I can not care about JAMF.

Re: On-prem MDM with unknown MAC Address

Jason Kunst — Tue, 24 Oct 2017 20:53:49 GMT

Wow that's a lot of mac addresses for a single JAMF MDM profile to manage. And then you have multiple machines showing the same mac address depending on where the user moves from one to another desk. .

I agree we have no visibility of wireless mac when connecting via wired, there would need to be an agent that translated the MAC address.

A couple other options:

Deploy ISE posture Anyconnect System Scan to manage wired compliance.
Don't run wired.
Require users to have their own dongle so that its unique and stays with them

I asked our SME imbashir to also see if he had any ideas.

There would need to be an enhancement to address without the need for MAC address, please reach out to JAMF and ISE Product Managers

Re: On-prem MDM with unknown MAC Address

Network Engineering — Tue, 24 Oct 2017 22:18:06 GMT

Our workforce is extremely mobile. Most users travel internationally between offices on a weekly or monthly basis.

Deploy ISE posture Anyconnect System Scan to manage wired compliance.

This doesn't address the issue of checking for MDM registration.

Don't run wired.

This is a requirement from the business.

Require users to have their own dongle so that its unique and stays with them

This unfortunately is not how the business is architected and Apple has moved wired ports into the Apple Monitors. Most large enterprise Apple Macbook environments are using apple monitors that double as docks with ethernet ports. As users move around their going to be using different Apple monitors and thus different ethernet ports. When desks don't have Apple monitors, they would then use whatever dongle is available.

My recommendation would be to have the compliance module when installed, share the UDID with the MDM Registration checking process since ISE, JAMF, and the compliance module know the UDID.

I've spoken with imbashir psd and mschmitz before on addressing some high priority bugs in the past and they have been pretty quick in addressing issues in the past.

Re: On-prem MDM with unknown MAC Address

Jason Kunst — Tue, 24 Oct 2017 22:44:08 GMT

This will be an enhancement to both ISE and the MDM provider , it’s not a bug like the other gentleman said

I have forwarded it along