ISE 1.4 and AirWatch

Joseph Johnson · ‎01-22-2016

I am trying to connect my demo ISE server (release 1.4, patch 5) to an AirWatch MDM (8.2.1.0). Testing the MDM connection fails with "404:Not Found" error.

From the ISE CLI, I can resolve the AirWatch server URL and ping it by name and IP.
Both servers are on the same network but different subnets.
There is no firewall between the servers.
Clients on the network can access the AirWatch admin site using a web browser.

I have verified that I am using the correct login credentials. The certificate used by AirWatch, as well as the certificate authority, has been imported into the Trusted Certificates store.

I'm at a loss. I have set this up before but with older versions of ISE (1.2) and AirWatch. This is the guide I used that worked before:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/AirWatchISE.html

Jatin Katyal · ‎01-22-2016

The most likely cause of an HTML 404 error code is that an instance was configured when it was not required or that the wrong instance has been configured. I was facing the same issue few days ago. Removing instance fixed the issue.

~ Jatin

~Jatin

Joseph Johnson · ‎01-22-2016

How do I remove the instance? I've tried looking online but nothing is showing up.

Jatin Katyal · ‎01-22-2016

when you login to ISE > administration > network resources > external MDM > edit the MDM entry > Under MDM server details you will see a filed "Instance Name" - remove any value that you have entered there and test again.

~ Jatin

~Jatin

Joseph Johnson · ‎01-22-2016

There isn't anything in that field. I thought maybe you were talking about something on the AirWatch server.

Jatin Katyal · ‎01-22-2016

Lets do this:

1. Are we sure that TCP port 443 is opened between ISE and MDM server. Can you try

telnet <MDM-SERVER> 443

2. If that works fine then set the "external-mdm" logging component at debug level by going to administration > debug log configuration > edit the node.

Run this command on ISE via CLI using "show logging application ise-psc.log tail" ( without quotes)

Click on test connection again under external MDM.

Capture the logs to see if we have any additional info there.

~ Jatin

~Jatin

Joseph Johnson · ‎01-23-2016

1. I can telnet from another server on the same VLAN that the ISE node resides to the AirWatch server. I can't from the ISE node because it marks the 443 at the end as an invalid entry. I can ping the AirWatch server from the ISE node.

2. Here are the logs (URL changed for AirWatch server):

2016-01-23 08:43:08,231 INFO [admin-http-pool193][] cisco.cpm.mdm.util.MdmRESTClient -:admin:9D9252A56C8735081C824E193700D9BF:::- GET: MDM Server URL: https://<AirWatch Server>:443/ciscoise/mdminfo/?ise_api_version=2

2016-01-23 08:43:08,422 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -:::::- In AbandonedTransactionReaper : MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 4

2016-01-23 08:43:09,537 ERROR [admin-http-pool193][] cisco.cpm.mdm.util.MdmRESTClient -:admin:9D9252A56C8735081C824E193700D9BF:::- Error message while connecting to MDM server : Failed to connect to MDM Server : 404 Not Found

2016-01-23 08:43:11,327 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -::::PDPInitialization:- In AbandonedTransactionReaper : MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0

2016-01-23 08:43:14,539 WARN [admin-http-pool193][] cisco.cpm.mdm.apiimpl.MDMVerifyServer -:admin:9D9252A56C8735081C824E193700D9BF:::- MDMVerifyServer, unable to retrieve proxy settings from MdmSettings.

2016-01-23 08:43:14,539 INFO [admin-http-pool193][] cisco.cpm.mdm.util.MdmRESTClient -:admin:9D9252A56C8735081C824E193700D9BF:::- GET: MDM Server URL: https://<AirWatch Server>:443/ciscoise/mdminfo

2016-01-23 08:43:14,544 ERROR [admin-http-pool193][] cisco.cpm.mdm.util.MdmRESTClient -:admin:9D9252A56C8735081C824E193700D9BF:::- Error message while connecting to MDM server : Failed to connect to MDM Server : 404 Not Found

2016-01-23 08:43:14,545 ERROR [admin-http-pool193][] cpm.admin.mdm.action.MDMServerAction -:admin:9D9252A56C8735081C824E193700D9BF:::- Inside verify() : exceptionMsg = Connection Failed: 404:Not Found: the MDM server is not reachable

I tested the path (https://<AirWatch Server>:443/ciscoise/mdminfo) using a web browser, received a login prompt, logged in, and it shows a 404 error. This leads me to believe it's an AirWatch issue or something was changed in ISE that points to the wrong directory.

Jatin Katyal · ‎01-23-2016

One of my customer informed me that the ISE API is no longer installed by default on the Airwatch installation so make sure its there- this could also lead to the same problem.

~ Jatin

~Jatin

Joseph Johnson · ‎01-25-2016

I am working with AirWatch support right now to find out if the API is there or missing. Someone else set up the AirWatch demo server so I'm not sure what was or wasn't installed.

For anyone that wants to know, the two URLs that ISE is trying to connect to are:

https://<AirWatch Server>/ciscoise/mdminfo/?ise_api_version=2
https://<AirWatch Server>/ciscoise/mdminfo/

Hopefully those are correct and something didn't get changed in the latest version of AirWatch.

Jatin Katyal · ‎01-25-2016

Ok would be anxious to know if they find something different in your setup.

~ Jatin

~Jatin

Joseph Johnson · ‎01-26-2016

The issue turned out to be a missing rewrite rule. The AirWatch installer did not set up the rewrite rule properly inside IIS (with the rewrite module installed). The rewrite module for the AirWatch site showed no rules at all. Once the rewrite rule was manually entered, the ISE node was able to properly authenticate the AirWatch server so I could add it as an external MDM source.

Jatin Katyal · ‎01-26-2016

I guess that's what my customer was referring to. Thanks for sharing with the community. Appreciate it. ~ Jatin

~Jatin