Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
0
Helpful
5
Replies

ISE 2.0.1 and Airwatch

bgajadar
Cisco Employee
Cisco Employee

‎07-08-2016 07:50 AM

I am facing an issue with Airwatch and ISE 2.0.1. ISE is referencing a MDM server (the MDM and mobile are doing registration separate from ISE, ISE is only checking validation of registration and complaint) where it will make an API call and check if the register and complaint flag is valid, if it is, MDM will return the value and hit the authz policy for permit all but if it is not it will hit an Internet only policy. Out of six devices I have tested only three are working by hitting the permit all rules (two iPhone 5 and one Android) but when I checked on the iPhones that are not working they have to same settings as the ones that are working and it even says Airwatch registration and compliant is successful. The iPhones that are not working is iPhone 6. The working and non-working are all running the same iOS version 9.3.2.

I have also created an authz rule for unknown device in ISE to redirect to MDM portal but when the iPhone hit the redirect rule it could show that it is trying the redirect but the page is not returning. On the WLC the ACL referencing the MDM and ISE server is not getting hit only the DNS and deny all is getting hit. If I copied the session URL and paste it in a laptop browse, I am able to browse to the MDM landing page.

0 Helpful
5 Replies 5

vibobrov
Cisco Employee
Cisco Employee

‎07-08-2016 05:01 PM

Hi Benjamin,

Does the ACL on the WLC has all the ISE PSNs on port 8443? The redirect to MDM will load the initial page from ISE before redirecting to the ACL.

Thanks

0 Helpful

bgajadar
Cisco Employee
Cisco Employee
In response to vibobrov

‎07-08-2016 07:07 PM

Victor

Yes, all the PSNs are included in the ACL and I currently have them as any services.

Thanks

Benjamin Gajadar

Engineer-Network

Cisco System Limited

0 Helpful

vibobrov
Cisco Employee
Cisco Employee
In response to bgajadar

‎07-08-2016 07:33 PM

While connected to the SSID, try to manually pointing the browser at https://PSNIP:8443/mdmportal/PortalSetup.action?portal=MDM%20Portal%20(default). See if that loads for you.

0 Helpful

bgajadar
Cisco Employee
Cisco Employee
In response to vibobrov

‎07-12-2016 08:54 PM

@John, yes captive portal is enable

@Viktor, customer has a wireless issue thus will retest after.

Will keep you posted and thanks for your help

0 Helpful

jeppich
Cisco Employee
Cisco Employee

‎07-10-2016 10:13 AM

Hey Benjamin,

Do you have Captive Portal Bypass enabled http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116041-solution-apple-osx-00.html

Thanks,

John

0 Helpful
Customers Also Viewed These Support Documents