09-24-2015 07:56 AM - edited 03-10-2019 11:05 PM
I have been using ISE with the AirWatch integration for over a year. Recently, it seems that AirWatch has updated their certs and now I cannot get ISE and AirWatch to communicate. I can access the AirWatch API URLs through a browser and I see that the browser is using TLS 1.2. According to Cisco TAC, ISE does not support TLS 1.2. I have cases open with both TACs, but have not found a resolution yet.
Does anyone have ISE / Airwatch integration working currently?
Solved! Go to Solution.
09-24-2015 08:25 AM
Wes,
I have a customer who experienced what sounds like the same issue. It came down to AirWatch changing the host he was using. It was a long trek to get to the right answer but when AirWatch changed the host, things started working again. It took him multiple calls with AirWatch before someone got the idea to make that change.
Hope that helps.
Tim
09-24-2015 08:25 AM
Wes,
I have a customer who experienced what sounds like the same issue. It came down to AirWatch changing the host he was using. It was a long trek to get to the right answer but when AirWatch changed the host, things started working again. It took him multiple calls with AirWatch before someone got the idea to make that change.
Hope that helps.
Tim
09-24-2015 08:30 AM
Actually, I have been testing this integration recently and overcame a number of obstacles. What is the message you get when you test the integration?
Adminstration > (Network Resources) External MDM > select the entry and click the Edit button, click the Test Connection button.
09-24-2015 09:55 AM
I get the generic "Connection Failed: Please check the connection parameters." when I try to test. I have logging turned up for MDM and when I take a look at the log (ise-psc.log), I see Java errors around connections being reset:
isco.cpm.mdm.util.MdmRESTClient -:ce139402:9843967F63C7331B896A1505F5F29711:::- Connection Failed:
java.net.SocketException: Connection reset
This is consistent with the packet capture where you see the connection request attempt, then a "Change Cipher Spec" message, the a connection reset. See the attached pic.
Thanks for your help!
09-24-2015 11:24 AM
Just got a response from the support engineer. Try sending this to your AirWatch contact:
“It was basically an issue with the redirect. We configured the API URL to redirect to the necessary pool and it started working fine."
09-24-2015 11:25 AM
This looks very similar to a trace we had. The SSL handshake is successful actually, but as soon their webserver receives the GET request from ISE, it resets the connection. The tech support guy I was working with had to communicate with his internal support organization to get it fixed, but I don't believe he ever game me a technical explanation of what they had to do. Let me reach out to him and get back to you.
Another thing you might want to try is test the connection with OpenSSL. You need to know the hostname of your endpoint, and the Base64-encoded username/password they provided you in the format <username>:<password>. There are lots of sites to encode this string - http://www.motobit.com/util/base64-decoder-encoder.asp is one.
With those two pieces of infomation, jump on a system with openssl and make the connection:
openssl s_client -connect <FQDN of your AirWatch endpoint>:443
If the connection was successful, you'll cursor will be sitting at a blank line waiting for input. Type in the HTTP request manually, like this:
GET /ciscoise/mdminfo HTTP/1.1
Host: <FQDN of your AirWatch endpoint>
Authorization: Basic <Base64 encoded AirWatch credentials>
Then hit enter twice to send it. Look at the response code/headers, and output data - it should be XML output.
[Edit - added more detail]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide