cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1663
Views
0
Helpful
5
Replies
Highlighted
Beginner

ISE and AirWatch MDM Integration

I have been using ISE with the AirWatch integration for over a year.  Recently, it seems that AirWatch has updated their certs and now I cannot get ISE and AirWatch to communicate.  I can access the AirWatch API URLs through a browser and I see that the browser is using TLS 1.2.     According to Cisco TAC, ISE does not support TLS 1.2.  I have cases open with both TACs, but have not found a resolution yet. 

Does anyone have ISE / Airwatch integration working currently?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Wes,

I have a customer who experienced what sounds like the same issue.  It came down to AirWatch changing the host he was using. It was a long trek to get to the right answer but when AirWatch changed the host, things started working again.  It took him multiple calls with AirWatch before someone got the idea to make that change. 

Hope that helps.

Tim

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Wes,

I have a customer who experienced what sounds like the same issue.  It came down to AirWatch changing the host he was using. It was a long trek to get to the right answer but when AirWatch changed the host, things started working again.  It took him multiple calls with AirWatch before someone got the idea to make that change. 

Hope that helps.

Tim

View solution in original post

Highlighted
Enthusiast
Enthusiast

Actually, I have been testing this integration recently and overcame a number of obstacles. What is the message you get when you test the integration?

Adminstration > (Network Resources) External MDM > select the entry and click the Edit button, click the Test Connection button.

Highlighted

I get the generic "Connection Failed: Please check the connection parameters."  when I try to test.  I have logging turned up for MDM and when I take a look at the log (ise-psc.log), I see Java errors around connections being reset:

isco.cpm.mdm.util.MdmRESTClient -:ce139402:9843967F63C7331B896A1505F5F29711:::- Connection Failed:
java.net.SocketException: Connection reset

 

This is consistent with the packet capture where you see the connection request attempt, then a "Change Cipher Spec" message, the a connection reset.  See the attached pic.

 

Thanks for your help!

Highlighted

Just got a response from the support engineer. Try sending this to your AirWatch contact:

“It was basically an issue with the redirect. We configured the API URL to redirect to the necessary pool and it started working fine."

Highlighted

This looks very similar to a trace we had. The SSL handshake is successful actually, but as soon their webserver receives the GET request from ISE, it resets the connection. The tech support guy I was working with had to communicate with his internal support organization to get it fixed, but I don't believe he ever game me a technical explanation of what they had to do. Let me reach out to him and get back to you.

Another thing you might want to try is test the connection with OpenSSL. You need to know the hostname of your endpoint, and the Base64-encoded username/password they provided you in the format <username>:<password>. There are lots of sites to encode this string - http://www.motobit.com/util/base64-decoder-encoder.asp is one.

 

With those two pieces of infomation, jump on a system with openssl and make the connection:

openssl s_client -connect <FQDN of your AirWatch endpoint>:443

If the connection was successful, you'll cursor will be sitting at a blank line waiting for input. Type in the HTTP request manually, like this:

GET /ciscoise/mdminfo HTTP/1.1
Host: <FQDN of your AirWatch endpoint>
Authorization: Basic <Base64 encoded AirWatch credentials>

Then hit enter twice to send it. Look at the response code/headers, and output data - it should be XML output.

 

[Edit - added more detail]