Solved: ISE 3.1 / JAMF Integration - attribute lookups

YC2 · ‎05-02-2023

We are using ISE 3.1 Patch 5 with JAMF integration. Using EAP-TLS authentication. ADCS for the PKI. Wireless works consistently. Wired is very hit and miss... much more miss then hit. The external MDM setup in ISE is set for SAN URI - GUID. The Legacy MAC address and the CN GUID options are unchecked.

With the external-mdm logging level set to trace, I'm watching the ise-psc log. When it works, ISE queries JAMF via the GUID. When it fails, ISE queries JAMF via the wired USB dongle mac address.

I've queried JAMF directly via HTTPS in a browser and the behavior matches. Via mac addr, returns not enrolled. Via GUID, returns enrolled. Come to discover - this is a limit of JAMF inventory. JAMF doesn't inventory external device addresses. I can go down that route and try to solve that but thats a question for another forum.

The question here for y'all is - why is ISE attempting to query JAMF with the mac address at all, when the mdm is set for SAN URI - GUID only ? On the failed attempts when it uses the mac address, it clearly has the GUID already as it's in the live log under the identity column. So why not use it, as it's been told to?

YC2 · ‎05-11-2023

Ok, so.... I finally got d1x then mab fallback to work. Whomever invented this IBNS maddness.... grrr.

So... recap.

D1x only port = ISE queries JAMF by guid, d1x success

D1x / MAB fallback port = ISE queries JAMF by guid, d1x success

D1x / MAB simultaneous port = ISE registers the mab hit first, queries JAMF by non-existent dongle mac address, d1x subsequently runs and fails

My ASSumption is - ISE is caching the non-complaint response from the mab hit and ignores or doesn't query once the d1x hit comes along. The MDM setup page has a timer you can set where ISE does not qiery the mdm again if an authentication occurs within this period for the same end point. The lowest you can set it is 1 min, and it doesn't appear you can do 0 or disable it. Seems like this is what's causing the issue with simultaneous mab/d1x triggers.

View solution in original post

YC2 · ‎05-04-2023

I've sent logs to TAC and am waiting a response. In the meantime, I'm stumped. I don't know what good those options are when setting up an mdm if it seems to ignore them. I mean, if they were all enabled, I can understand it skipping one and going to the other if it wasn't available but, in this case, the guid is available and is the only option enabled.

poongarg · ‎05-04-2023

Check if you are hitting below defect:

Make MDM API V3 cert string case insensitive

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe38610

It should be fixed in upcoming patches.

thomas · ‎05-07-2023

Not going to spend time duplicating TAC efforts since they will have superior configuration and log and error information.

Please do post the resolution when done.

YC2 · ‎05-05-2023

So I've made some headway. The 3650 is running mab and dot1x simultaneously. In the live log it looks like there's a mab hit then 1-200ms later a d1x hit. Interestingly enough the d1x is first in the policy map. Maybe it just takes longer to respond and register in ISE.

If I set the port to do d1x only and no mab, everything works. It looks like maybe the mab hit is what's forcing ISE to query JAMF with the mac. That sort of makes sense as the mac is the only thing available (no cert, guid, etc) in mab.... but again, ISE shouldn't be querying the mdm with any macs. Maybe ISE receives the deny from the mab hit, caches it, and doesn't really process the allow hit from the d1x attempt.

I've also tried setting mab to run after d1x as a fallback - mab won't run at all this way, d1x just cycles... thats a separate issue.

YC2 · ‎05-11-2023