cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2963
Views
25
Helpful
15
Replies

ISE & Jamf

Jason Weids
Level 1
Level 1

We are trying a PoC to integrate Cisco ISE with Jamf Pro.

 

We have communication with the Jamf Pro server, have developed the authorization profile for unregistered & registered devices & can see that devices are getting the right policy but in the case of unregistered devices the redirect is not working.

 

Can anyone see what is missing?

 

Auth Profile

Capture.PNG

 

Auth Policy

Capture1.PNG

 

Jamf Network Integration

Capture2.PNG

 

WLC ACL

Capture4.PNG

15 Replies 15

Timothy Abbott
Cisco Employee
Cisco Employee
The usual cause is the ACL on the controller isn't configured correctly. Without seeing the endpoint behavior it is hard to tell for sure. Is the URL showing up in the mobile device's browser?

Regards,
-Tim

If you mean the enrol URL then no, it is also possible to browse to any web pages. The ACL I took from the Cisco documentation.

Jason Weids
Level 1
Level 1

Is there anyone who can provide some insight on this?

I usually push back on doing MDM enrollment via ISE, but a few thoughts come to mind:

  1. If you are using FlexConnect it is a completely different ACL and process to push that ACL out to the APs.
  2. I doubt there is any explicit proxy in play but that would cause an issue.
  3. Have you confirmed the redirect is getting applied on to the client session?  Showing a screen shot of what ISE is sending doesn't really help.  You should be looking at the client details on the WLC.
  4. If you don't see the redirect condition on the WLC client side do you have the WLC properly configured for NAC on the advanced tab?

Thanks for your reply.

 

Yes the client seems to be getting the ACL applied from the WLC but the URL doesn't look right it should be the FQDN/enrol

 

It looks like the URL its getting ISE in the auth profile.

 

Capture.PNG

The client is not FlexConnect?  You didn't show the top part of the client details so I couldn't tell if the client was local or flex.

Its not flexconnect no.

Nevermind, I see hits on your ACL so I assumed the client must be local mode and not FlexConnect.  Your ACL looks to only be redirecting traffic to internal web sites.  You are testing by going to internal web sites?

No the website is hosted by Jamf but uses our domain name.

No that is not what I meant. In order to get redirected you need to hit one of your ACL deny lines. The only IPs you are redirecting is to internal IPs. If the user is not surfing to an internal web site they are not going to get redirected to the provisioning web site. I have a feeling you are surfing to Internet sites and think the setup is not working.

Ah I see, you could be correct. I took the ACL configuration from Cisco documentation but didn't understand why the first line allows everything out.

 

How would you suggest the ACL be changed?

What are you trying to redirect? The first line is correct. We only care about the incoming traffic. If you are trying to redirect any web traffic then you would change the bottom rule to a deny.


Yes your right. I have tried going to an internal page from the client & I hit rule 8 & I'm redirected but the page fails to load.

 

The full URL looks like this & fails.

 

https://myapple.bathspa.ac.uk:8443/mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483

 

I can get to https://myapple.bathspa.ac.uk/enrol from the client though.

It looks like you are incorrectly putting the FQDN of myapple.bathspa.ac.uk in your redirect profile. You need to bring the traffic to ISE first and make sure your redirect ACL allows traffic to your ISE nodes. The URL you are seeing is the ISE MDM portal:

mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483