topic I get the generic "Connection in Network Access Control

ISE and AirWatch MDM Integration

Wes Schochet — Mon, 11 Mar 2019 06:05:35 GMT

I have been using ISE with the AirWatch integration for over a year. Recently, it seems that AirWatch has updated their certs and now I cannot get ISE and AirWatch to communicate. I can access the AirWatch API URLs through a browser and I see that the browser is using TLS 1.2. According to Cisco TAC, ISE does not support TLS 1.2. I have cases open with both TACs, but have not found a resolution yet.

Does anyone have ISE / Airwatch integration working currently?

Wes,I have a customer who

Tim Steele — Thu, 24 Sep 2015 15:25:23 GMT

Wes,

I have a customer who experienced what sounds like the same issue. It came down to AirWatch changing the host he was using. It was a long trek to get to the right answer but when AirWatch changed the host, things started working again. It took him multiple calls with AirWatch before someone got the idea to make that change.

Hope that helps.

Tim

Actually, I have been testing

smp — Thu, 24 Sep 2015 15:30:16 GMT

Actually, I have been testing this integration recently and overcame a number of obstacles. What is the message you get when you test the integration?

Adminstration > (Network Resources) External MDM > select the entry and click the Edit button, click the Test Connection button.

I get the generic "Connection

Wes Schochet — Thu, 24 Sep 2015 16:55:43 GMT

I get the generic "Connection Failed: Please check the connection parameters." when I try to test. I have logging turned up for MDM and when I take a look at the log (ise-psc.log), I see Java errors around connections being reset:

isco.cpm.mdm.util.MdmRESTClient -:ce139402:9843967F63C7331B896A1505F5F29711:::- Connection Failed:
java.net.SocketException: Connection reset

This is consistent with the packet capture where you see the connection request attempt, then a "Change Cipher Spec" message, the a connection reset. See the attached pic.

Thanks for your help!

Just got a response from the

smp — Thu, 24 Sep 2015 18:24:20 GMT

Just got a response from the support engineer. Try sending this to your AirWatch contact:

“It was basically an issue with the redirect. We configured the API URL to redirect to the necessary pool and it started working fine."

This looks very similar to a

smp — Thu, 24 Sep 2015 18:25:35 GMT

This looks very similar to a trace we had. The SSL handshake is successful actually, but as soon their webserver receives the GET request from ISE, it resets the connection. The tech support guy I was working with had to communicate with his internal support organization to get it fixed, but I don't believe he ever game me a technical explanation of what they had to do. Let me reach out to him and get back to you.

Another thing you might want to try is test the connection with OpenSSL. You need to know the hostname of your endpoint, and the Base64-encoded username/password they provided you in the format <username>:<password>. There are lots of sites to encode this string - http://www.motobit.com/util/base64-decoder-encoder.asp is one.

With those two pieces of infomation, jump on a system with openssl and make the connection:

openssl s_client -connect <FQDN of your AirWatch endpoint>:443

If the connection was successful, you'll cursor will be sitting at a blank line waiting for input. Type in the HTTP request manually, like this:

GET /ciscoise/mdminfo HTTP/1.1
Host: <FQDN of your AirWatch endpoint>
Authorization: Basic <Base64 encoded AirWatch credentials>

Then hit enter twice to send it. Look at the response code/headers, and output data - it should be XML output.

[Edit - added more detail]