Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
0
Helpful
3
Replies

ISE 2.6 and MDM integration

Go to solution
biomalle
Cisco Employee
Cisco Employee

‎04-29-2020 12:38 PM - edited ‎04-29-2020 02:41 PM

A partner is doing a Cisco ISE 2.6 deployment for a client and they have a lot of Macbook devices that use network dongles to connect to the wired network. The Macbook devices are registered with the MDM service (JAMF). The registration process was done (through Wifi, thus registering the Macbook’s wifi MAC address with MDM).

 

When a device connects to the network, the 802.1x protocol includes the MAC address of the device trying to connect to the network (in this case the MAC address of the network dongle (e.g. 56:12:56:12:56:12) which is not registered in MDM. The result is that the MDM says the device is not registered/compliant because it can’t find it.

 

The partner came across this article from 2017: https://community.cisco.com/t5/network-access-control/on-prem-mdm-with-unknown-mac-address/td-p/3488066

 

The question here is, ​is this is still on a roadmap or if there is a workaround for this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-29-2020 04:14 PM - edited ‎04-29-2020 04:15 PM

See these similar posts regarding the common issue of using wired dongles and MDM compliance checks:

MDM registration 

ISE/JAMF MDM Attributes

There is currently support for using the UDID generated by AnyConnect for MDM compliance checks, but this is yet not supported for Wired/Wireless flows.

Most customers I have worked with have opted to refrain from using MDM checks on Wired MacBook sessions and only rely on certificate-based authentication for now.

 

Roadmap is not discussed on this public forum. If you want info on the roadmap for UDID support, post your question on the internal cs.co/ise-pm community.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-29-2020 04:14 PM - edited ‎04-29-2020 04:15 PM

See these similar posts regarding the common issue of using wired dongles and MDM compliance checks:

MDM registration 

ISE/JAMF MDM Attributes

There is currently support for using the UDID generated by AnyConnect for MDM compliance checks, but this is yet not supported for Wired/Wireless flows.

Most customers I have worked with have opted to refrain from using MDM checks on Wired MacBook sessions and only rely on certificate-based authentication for now.

 

Roadmap is not discussed on this public forum. If you want info on the roadmap for UDID support, post your question on the internal cs.co/ise-pm community.

0 Helpful

Go to solution
pagosojayson
Level 1
Level 1
In response to Greg Gibbs

‎09-21-2020 07:17 PM

Hi Greg,

 

I would just like to ask if there is any development on this one?  Is there now a way to use UDID for MDM checks on Wired/Wireless network.

 

Regards,

Jayson

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to pagosojayson

‎09-22-2020 05:53 PM

There have been no enhancements on using UDID for Wired/Wireless networks.

 

For Windows PCs, ISE 3.0 does provide the ability to use dot1x certificate CN/SAN values as identity for checking compliance/registration against SCCM. See the Configure Device Identifiers for Windows Endpoints section of the ISE 3.0 Admin Guide for more information.

There is currently no equivalent for this on other MDM vendors.

0 Helpful
Customers Also Viewed These Support Documents