https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516711#M523275 <HTML><HEAD></HEAD><BODY><P>Correct they will be redirected and if compliant will get a COA and then be granted full access without redirect. This maybe still dependent on the vendor but this is the best scenario, best to lab it up with specific vendor and understand how it works as well.</P><P></P><P>Wired redirection example can be grabbed from posture or guest examples here is one came up with a search</P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html" title="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html">Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco</A></P></BODY></HTML> Wed, 02 Aug 2017 16:12:52 GMT Jason Kunst 2017-08-02T16:12:52Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516708#M523272 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Using ISE2.2P2 at customer site. They would like to check status for wired endpoints(Apple MAC) if it is registered with MDM to give final access. These endpoints are already enrolled for MDM off-prem, so is MDM redirection policy is required in ISE, for ISE to learn endpoint status first time ?</P><P></P><P>I have tried without MDM redirection authz policy and things are not working ?</P><P></P><P>Having hard time figuring out redirection policy if required .. redirect acl and actual redirection Authz profile and policy. </P></BODY></HTML> Tue, 01 Aug 2017 20:57:56 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516708#M523272 Parag Mahajan 2017-08-01T20:57:56Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516709#M523273 <HTML><HEAD></HEAD><BODY><P>Mdm redirection is required to onboard the device as MDM Registered</P><P></P><P></P><P></P><P>http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#ID434</P><P></P><P></P><P>There are also how to guides</P><P></P><P>Check under http://cs.co/ise-community look at mdm section</P><P></P><P>Meraki I believe has a more seamless integration, there is a guide about that also</P></BODY></HTML> Tue, 01 Aug 2017 22:59:36 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516709#M523273 Jason Kunst 2017-08-01T22:59:36Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516710#M523274 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Thanks for the reply. Referring to the same link. Highlighted text in image looks confusing. What will be the user experience in this case.</P><P></P><P>These users who are already enrolled with MDM&nbsp; outside ISE, still will be redirected but how will be they greeted on Splash page ? Will they directly get page saying that 'you have already enrolled with MDM....' . I am trying to work on this<STRONG> wired dot1X use case</STRONG> but integration guide does not talk about wired redirection acl. Could you please provide some pointer what config need to be there on switch. We are NOT doing wireless authentication through ISE.</P><P><IMG __jive_id="109880" alt="mdm flow.png" class="image-1 jive-image" height="273" src="/legacyfs/online/fusion/109880_mdm flow.png" style="height: 273px; width: 734.726px;" width="735" /></P></BODY></HTML> Tue, 01 Aug 2017 23:47:08 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516710#M523274 Parag Mahajan 2017-08-01T23:47:08Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516711#M523275 <HTML><HEAD></HEAD><BODY><P>Correct they will be redirected and if compliant will get a COA and then be granted full access without redirect. This maybe still dependent on the vendor but this is the best scenario, best to lab it up with specific vendor and understand how it works as well.</P><P></P><P>Wired redirection example can be grabbed from posture or guest examples here is one came up with a search</P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html" title="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html">Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco</A></P></BODY></HTML> Wed, 02 Aug 2017 16:12:52 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516711#M523275 Jason Kunst 2017-08-02T16:12:52Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516712#M523276 <HTML><HEAD></HEAD><BODY><P>we redirect with many MDM/EMM what are you trying with as well?</P></BODY></HTML> Wed, 02 Aug 2017 16:13:52 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516712#M523276 Jason Kunst 2017-08-02T16:13:52Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516713#M523277 <HTML><HEAD></HEAD><BODY><P>Hi Jason.</P><P></P><P>Really thanks for the reply... We are trying to use <SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;">JAMF version 9.96.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;">I got you, i will take reference of the link. So looks like I need to configure redirection acl in switch as well as downloadable Acl in ISE.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;">So in short , Need to permit&nbsp; <SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;">JAMF IP in dacl and </SPAN> need to deny JAMF IP in redirection acl right ?</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri',sans-serif; color: black;"><BR /></SPAN></P><P></P></BODY></HTML> Wed, 02 Aug 2017 16:24:01 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516713#M523277 Parag Mahajan 2017-08-02T16:24:01Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516714#M523278 <HTML><HEAD></HEAD><BODY><P>Same as wireless just the opposite ☺</P></BODY></HTML> Wed, 02 Aug 2017 16:27:39 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516714#M523278 Jason Kunst 2017-08-02T16:27:39Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516715#M523280 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>As per my understanding, It's not feasible. We are using JAMF Pro (Casper) as MDM, what we observed that JAMF does not capture wired MAC address in its db.</P><P></P><P>Also apple MAC machines now does not have Ethernet port, so they need to attach to thunderbolt adapter which has its own MAC address. So even with different MDM provider if wired MAC address get captured, it will not be true identity of machine.</P><P></P><P>Need to document this observation somewhere, so people will be aware if they have similar requirement.</P></BODY></HTML> Fri, 18 Aug 2017 04:50:02 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3516715#M523280 Parag Mahajan 2017-08-18T04:50:02Z https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3825497#M523282 <P>Hi Jason,</P><P>&nbsp;</P><P>I have been following this for a PoC of ISE &amp; Jamf integration;</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html#ID259" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html#ID259</A></P><P>&nbsp;</P><P>It says configure ACL on the WLC for the redirect. Is this the same ACL that the guest policy uses to redirect to ISE or is it a different ACL? If so what should this ACL look like?</P> Mon, 25 Mar 2019 11:39:14 GMT https://community.cisco.com/t5/network-access-control/is-mdm-redirection-necessary-for-ise2-2p2-for-endpoints-already/m-p/3825497#M523282 Jason Weids 2019-03-25T11:39:14Z