I used to do it that way but

lmediavilla · ‎05-27-2016

Hello in 2.0 and 2.0.1 cisco ise release notes we can read this

Mobile Device Management Enhancements
Cisco ISE 2.0.1 allows endpoints that were enrolled on an active MDM server outside of an ISE network
to connect to an ISE network without needing to re-enroll with the MDM server.
When the endpoint connects to the ISE network, the MDM portal queries the MDM server for the
endpoint. If the server returns the endpoint as compliant, ISE issues a change of authorization and allows
the endpoint on the network. If the endpoint is not enrolled with the MDM server, it will have to go
through the enrollment process.

Basicly I can enroll the devices outside the MDM but when I have a rule to check te compliance (MDM is up of course), compliance devices on the mdm don't match it and some devices totally unregistered match that rule but doesn't apply the "deny all"
I've tried device registered, device compliance, both at the same time and I don't have a good result.

Do I still need to use the redirect authorizacion policy?, is there any new integration guide for airwatch and Cisco ISE 2.0?

regards

nspasov · ‎06-04-2016

Hi there, a couple of things:

- Can you post screenshots of your Authorization rules?

- Let us know which Authorization rule is being hit by endpoints that are not compliant/MDM registered

Thank you for rating helpful posts!

michaellperrin · ‎06-14-2016

You still need to use an MDM redirect policy.

When the user connects they will have to launch browser, they will hit the MDM portal. At that time ISE will query Airwatch, if, then status:registered it will add that to the endpoint profile and then issue a COA. Then it will hit your rule. If it's not registered they can choose proceed with MDM registration and be forwarded to Airwatch. Once complete it will mark the device as registered and issue COA

Im not sure if can do this without an Airspace ACL though.

lmediavilla · ‎06-15-2016

hello, We don't need the MDM_Redirect policy any more, I've checked on the MDM and the problem is that andorid uses different ports than IOS, so when I check the device on the MDM it was the red cloud, after some firewall changes it turned into green it worked without any result rule that points to the MDM just the conditions.

thank you for your support

michaellperrin · ‎06-15-2016

I would be curious to see how you did this.

If I delete an endpoint that is MDM registered and rejoin it, it hits the MDM redirect then says you're device is registered then issues a COA and hits one of the rules above.

How did you get ISE to query MDM without using the MDM-Redirect?

I'm using ISE 2.0.0.306

lmediavilla · ‎06-15-2016

I think with the authoriztion rule that ask if the device is register it will ask the mdm without any result mdm_redirect. The thing is what would it do if I have two mdms?

I upgraded the ISE just because of this feature, so I don't need URL-ACLS or to know all google and apple ips to use regular acls.

Registered work, unregistered doesn't work. I'm fine with that.

michaellperrin · ‎06-15-2016

I know with mine, even if a devices is registered with Airwatch, if ISE has never seen it, it hit's the MDM-Redirect rule and that's when the API calls is made to Airwatch.

I would be curious how you are doing this without the redirect.

lmediavilla · ‎06-16-2016

I used to do it that way but since I don't have the same version on all WLC and to update some of them I will have problems with old aps the solution is this, if any auth rule asks if the device exist on the mdm it will ask the mdms of the list of MDM you have.

I was waiting for this feature for a long time.

lmediavilla · ‎06-14-2016

I've updated to 2.1 with the same issue, I resume

If I do the onboard outside ISE, apple phones are detected as registered quick, android phones don't

Since I cannot use URL-ACLs on all my WLC I would like to do the onboard outside ISE.

Cisco ise 2.0 Airwatch MDM registration out of ISE