Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1990
Views
7
Helpful
9
Replies

ISE 2.0 MDM integration question

Go to solution
josgarza
Level 1
Level 1

‎02-04-2016 09:35 AM

Hi experts,

I have a Use Case for ISE 2.0 and MDM integration. The customer wants to allow BYOD devices (PEAPMSCHAP) and also MDM managed devices (PeapMschap)

How can we avoid the BYOD devices to hit the MDM query rule the first time? And at the same time provide a smooth authentication process. (avoiding redirection portals to register the device).

Example:

If a BYOD devices connects, the MDM registration will be equals “Unregistered”. Hence, it will get stuck in that policy to query the MDM.

Any ideas are very welcome.

Regards,

1 Accepted Solution

Accepted Solutions

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to Cory Peterson

‎02-05-2016 08:44 AM

With Multi-MDM functionality introduced in 1.4, it is not possible to check MDM status unless ISE "knows" which MDM server the endpoint is registered with. MDM Redirection is how ISE learns that an endpoint needs to be checked against the MDM server. Once this redirection occurs and ISE successfully looks up the endpoint in MDM, it will record the MDM name for that endpoint and no more redirections will be needed.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-04-2016 09:43 AM

Jose, if you want to differentiated policy on the same SSID then you will need something else to differentiate those two device use cases. You mentioned PEAP/MSCHAPv2, so if the users are different then you can use user groups to provide BYOD vs. MDM policies. If you know the MAC addressed of MDM device groups then you could create a special MAB group to provide MDM device to go through the MDM policy which non MDM device is exempted from the flow. There may be other differentiators, but these are few options based on your posting.

Hosuk

Go to solution
josgarza
Level 1
Level 1
In response to howon

‎02-04-2016 09:59 AM

Thanks Hosuk,

Just like you mentioned, I was thinking in propose them to export the current MAC address list from their MDM. The only con is that they will now need to update the list in two places (MDM and ISE).

On the other hand, I guess having different AD groups will cause MDM users to not connect using their personal (non mdm) devices (?).

Thanks for you help

0 Helpful

Go to solution
Cory Peterson
Level 5
Level 5
In response to josgarza

‎02-04-2016 12:43 PM

Are both devices in the MDM?

Which MDM are they using?

If it is a supported MDM you can integrate it with ISE. You will have to create a redirect that will redirect the devices to the MDM server the first time they connect, even if they are already registered with MDM. This allows the ISE server to verify that the Device is part of MDM and any other MDM attributes you want to check for.

Go to solution
josgarza
Level 1
Level 1
In response to Cory Peterson

‎02-05-2016 07:27 AM

Thanks Cory,

The MDM is Airwatch and no, both devices are not in MDM and that's exactly the problem; to avoid the non-MDM devices to hit the redirection policy.

I will ask the customer if he's OK by importing the MAC address list into ISE.

Thanks for your comments.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to josgarza

‎02-05-2016 07:57 AM

One potential option is to format the username in a different way depending whether the device is MDM or not. In Airwatch, you can prepopulate the username field with user's UPN like shown on the screenshot below. If a users manually connect, they would use shortname or domain\username format. In the AuthZ policy, you could look for @domainname in RADIUS:Username to identify connections provisioned with MDM. Of course, nothing will stop the user from entering UPN manually, but they maybe less likely to do that if they're used to a short name.

Thanks

2016-02-05_10-54-11.jpg

Go to solution
Cory Peterson
Level 5
Level 5
In response to josgarza

‎02-05-2016 08:09 AM

I would like to see the ability to just check MDM registration status without needing to be redirected.

If the Device is register do one thing, if not continue to the next rule.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to Cory Peterson

‎02-05-2016 08:44 AM

With Multi-MDM functionality introduced in 1.4, it is not possible to check MDM status unless ISE "knows" which MDM server the endpoint is registered with. MDM Redirection is how ISE learns that an endpoint needs to be checked against the MDM server. Once this redirection occurs and ISE successfully looks up the endpoint in MDM, it will record the MDM name for that endpoint and no more redirections will be needed.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to vibobrov

‎02-05-2016 09:07 AM

This enhancement is filed to improve this behaviour: https://tools.cisco.com/bugsearch/bug/CSCuv68500/?referring_site=ss

Go to solution
Cory Peterson
Level 5
Level 5
In response to vibobrov

‎02-05-2016 09:17 AM

Thank You Viktor, That is what I was looking for. I ran in to this recently with a customer, they only want to grant access based on MDM enrollment, but not force MDM enrollment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents