Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
0
Helpful
2
Replies

ise integration with airwatch issue

nareh84
Level 3
Level 3

‎11-13-2020 01:47 AM

hi

 

 

i have ise (2.6.0.156) installed and integrated with airwatch. on airwatch i can see the windows client as compliant. but device is not able to connect and i can see following in radius logs.

 

24211Found Endpoint in Internal Endpoints IDStore
15048Queried PIP - MDM.DeviceCompliantStatus
15016Selected Authorization Profile - Quarantined_Systems,DenyAccess
15016Selected Authorization Profile - Quarantined_Systems,DenyAccess
15039Rejected per authorization profile
12306PEAP authentication succeeded
11503Prepared EAP-Success
11003Returned RADIUS Access-Reject

 

I suspect that ise is not querying airwatch regarding the compliance of device because when i choose operation > report > endpoint and user  > external mobile device manager> when i filter based on mac address, i dont see any record.

while for other clients which are successful to connect to wifi, i am able to see their record in report.

 

for successful client i can see following

 

Found Endpoint in Internal Endpoints IDStore
Queried PIP - MDM.DeviceCompliantStatus
Selected Authorization Profile - Employees,PermitAccess
Selected Authorization Profile - Employees,PermitAccess
Max sessions policy passed
New accounting session created in Session cache
PEAP authentication succeeded
Prepared EAP-Success
Returned RADIUS Access-Accept
0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎11-14-2020 02:40 PM

I would suggest to provide some limited access instead of DenyAccess, which results in Access-Reject. When an endpoint is not online, there is no point to check its compliant status.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-16-2020 09:48 PM

From the step data, it looks like the session is hitting the wrong AuthZ Profile. We would need to understand more about your AuthZ Policies, but I'm guessing this is because the MDM condition match is not hitting so the correct AuthZ Policy is not being matched.

Is there a difference between the working and non-working endpoints (e.g. Wired vs. Wireless connections, etc)?

Keep in mind that the ISE MDM API uses the endpoint MAC Address to query the MDM server. If this is a Wired connection, the MDM needs to have the Wired NIC MAC Address associated with the endpoint. This is further complicated by newer laptops not having built-in Wired NICs and instead using dongles.

For further troubleshooting, you can enabled the MDM-related debug logs, duplicate the issue, and have a look at the MDM request/response in the ise-psc.log. For more detailed troubleshooting, you might be best opening a TAC case.

0 Helpful
Customers Also Viewed These Support Documents