Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2549
Views
25
Helpful
15
Replies

ISE & Jamf

Jason Weids
Level 1
Level 1

‎04-02-2019 08:11 AM - edited ‎02-21-2020 11:04 AM

We are trying a PoC to integrate Cisco ISE with Jamf Pro.

 

We have communication with the Jamf Pro server, have developed the authorization profile for unregistered & registered devices & can see that devices are getting the right policy but in the case of unregistered devices the redirect is not working.

 

Can anyone see what is missing?

 

Auth Profile

Capture.PNG

 

Auth Policy

Capture1.PNG

 

Jamf Network Integration

Capture2.PNG

 

WLC ACL

Capture4.PNG

0 Helpful
15 Replies 15

Timothy Abbott
Cisco Employee
Cisco Employee

‎04-02-2019 09:53 AM

The usual cause is the ACL on the controller isn't configured correctly. Without seeing the endpoint behavior it is hard to tell for sure. Is the URL showing up in the mobile device's browser?

Regards,
-Tim

Jason Weids
Level 1
Level 1
In response to Timothy Abbott

‎04-02-2019 11:37 PM

If you mean the enrol URL then no, it is also possible to browse to any web pages. The ACL I took from the Cisco documentation.

0 Helpful

Jason Weids
Level 1
Level 1

‎04-05-2019 05:15 AM

Is there anyone who can provide some insight on this?

0 Helpful

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 06:26 AM

I usually push back on doing MDM enrollment via ISE, but a few thoughts come to mind:

  1. If you are using FlexConnect it is a completely different ACL and process to push that ACL out to the APs.
  2. I doubt there is any explicit proxy in play but that would cause an issue.
  3. Have you confirmed the redirect is getting applied on to the client session?  Showing a screen shot of what ISE is sending doesn't really help.  You should be looking at the client details on the WLC.
  4. If you don't see the redirect condition on the WLC client side do you have the WLC properly configured for NAC on the advanced tab?

Jason Weids
Level 1
Level 1
In response to paul

‎04-05-2019 07:51 AM

Thanks for your reply.

 

Yes the client seems to be getting the ACL applied from the WLC but the URL doesn't look right it should be the FQDN/enrol

 

It looks like the URL its getting ISE in the auth profile.

 

Capture.PNG

0 Helpful

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 07:53 AM

The client is not FlexConnect?  You didn't show the top part of the client details so I couldn't tell if the client was local or flex.

0 Helpful

Jason Weids
Level 1
Level 1
In response to paul

‎04-05-2019 07:54 AM

Its not flexconnect no.

0 Helpful

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 07:56 AM

Nevermind, I see hits on your ACL so I assumed the client must be local mode and not FlexConnect.  Your ACL looks to only be redirecting traffic to internal web sites.  You are testing by going to internal web sites?

0 Helpful

Jason Weids
Level 1
Level 1
In response to paul

‎04-05-2019 07:58 AM

No the website is hosted by Jamf but uses our domain name.

0 Helpful

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 08:33 AM

No that is not what I meant. In order to get redirected you need to hit one of your ACL deny lines. The only IPs you are redirecting is to internal IPs. If the user is not surfing to an internal web site they are not going to get redirected to the provisioning web site. I have a feeling you are surfing to Internet sites and think the setup is not working.

Jason Weids
Level 1
Level 1
In response to paul

‎04-05-2019 08:38 AM

Ah I see, you could be correct. I took the ACL configuration from Cisco documentation but didn't understand why the first line allows everything out.

 

How would you suggest the ACL be changed?

0 Helpful

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 09:13 AM

What are you trying to redirect? The first line is correct. We only care about the incoming traffic. If you are trying to redirect any web traffic then you would change the bottom rule to a deny.


0 Helpful

Jason Weids
Level 1
Level 1
In response to paul

‎04-05-2019 08:57 AM

Yes your right. I have tried going to an internal page from the client & I hit rule 8 & I'm redirected but the page fails to load.

 

The full URL looks like this & fails.

 

https://myapple.bathspa.ac.uk:8443/mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483

 

I can get to https://myapple.bathspa.ac.uk/enrol from the client though.

paul
Level 10
Level 10
In response to Jason Weids

‎04-05-2019 09:46 AM

It looks like you are incorrectly putting the FQDN of myapple.bathspa.ac.uk in your redirect profile. You need to bring the traffic to ISE first and make sure your redirect ACL allows traffic to your ISE nodes. The URL you are seeing is the ISE MDM portal:

mdmportal/gateway?sessionId=ac170170000001065ca7689c&portal=f1260c00-7159-11e7-a355-005056aba474&action=mdm&token=a8dd544b1283a55a4ea8a48ed068b483










Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents