Solved: Is MDM redirection necessary for ISE2.2P2 for endpoints already enrolled with MDM offpremises.

Parag Mahajan · ‎08-01-2017

Hi,

Using ISE2.2P2 at customer site. They would like to check status for wired endpoints(Apple MAC) if it is registered with MDM to give final access. These endpoints are already enrolled for MDM off-prem, so is MDM redirection policy is required in ISE, for ISE to learn endpoint status first time ?

I have tried without MDM redirection authz policy and things are not working ?

Having hard time figuring out redirection policy if required .. redirect acl and actual redirection Authz profile and policy.

Jason Kunst · ‎08-01-2017

Mdm redirection is required to onboard the device as MDM Registered

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#ID434

There are also how to guides

Check under http://cs.co/ise-community look at mdm section

Meraki I believe has a more seamless integration, there is a guide about that also

View solution in original post

Jason Kunst · ‎08-01-2017

Mdm redirection is required to onboard the device as MDM Registered

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#ID434

There are also how to guides

Check under http://cs.co/ise-community look at mdm section

Meraki I believe has a more seamless integration, there is a guide about that also

Parag Mahajan · ‎08-01-2017

Hi Jason,

Thanks for the reply. Referring to the same link. Highlighted text in image looks confusing. What will be the user experience in this case.

These users who are already enrolled with MDM outside ISE, still will be redirected but how will be they greeted on Splash page ? Will they directly get page saying that 'you have already enrolled with MDM....' . I am trying to work on this wired dot1X use case but integration guide does not talk about wired redirection acl. Could you please provide some pointer what config need to be there on switch. We are NOT doing wireless authentication through ISE.

Jason Kunst · ‎08-02-2017

Correct they will be redirected and if compliant will get a COA and then be granted full access without redirect. This maybe still dependent on the vendor but this is the best scenario, best to lab it up with specific vendor and understand how it works as well.

Wired redirection example can be grabbed from posture or guest examples here is one came up with a search

Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco

Jason Kunst · ‎08-02-2017

we redirect with many MDM/EMM what are you trying with as well?

Parag Mahajan · ‎08-02-2017

Hi Jason.

Really thanks for the reply... We are trying to use JAMF version 9.96.

I got you, i will take reference of the link. So looks like I need to configure redirection acl in switch as well as downloadable Acl in ISE.

So in short , Need to permit JAMF IP in dacl and need to deny JAMF IP in redirection acl right ?

Jason Kunst · ‎08-02-2017

Same as wireless just the opposite ☺

Parag Mahajan · ‎08-17-2017

Hi Jason,

As per my understanding, It's not feasible. We are using JAMF Pro (Casper) as MDM, what we observed that JAMF does not capture wired MAC address in its db.

Also apple MAC machines now does not have Ethernet port, so they need to attach to thunderbolt adapter which has its own MAC address. So even with different MDM provider if wired MAC address get captured, it will not be true identity of machine.

Need to document this observation somewhere, so people will be aware if they have similar requirement.

Jason Weids · ‎03-25-2019

Hi Jason,

I have been following this for a PoC of ISE & Jamf integration;

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html#ID259

It says configure ACL on the WLC for the redirect. Is this the same ACL that the guest policy uses to redirect to ISE or is it a different ACL? If so what should this ACL look like?