cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1545
Views
0
Helpful
2
Replies

ise integration with airwatch issue

nareh84
Level 3
Level 3

hi

 

 

i have ise (2.6.0.156) installed and integrated with airwatch. on airwatch i can see the windows client as compliant. but device is not able to connect and i can see following in radius logs.

 

24211Found Endpoint in Internal Endpoints IDStore
15048Queried PIP - MDM.DeviceCompliantStatus
15016Selected Authorization Profile - Quarantined_Systems,DenyAccess
15016Selected Authorization Profile - Quarantined_Systems,DenyAccess
15039Rejected per authorization profile
12306PEAP authentication succeeded
11503Prepared EAP-Success
11003Returned RADIUS Access-Reject

 

I suspect that ise is not querying airwatch regarding the compliance of device because when i choose operation > report > endpoint and user  > external mobile device manager> when i filter based on mac address, i dont see any record.

while for other clients which are successful to connect to wifi, i am able to see their record in report.

 

for successful client i can see following

 

Found Endpoint in Internal Endpoints IDStore
Queried PIP - MDM.DeviceCompliantStatus
Selected Authorization Profile - Employees,PermitAccess
Selected Authorization Profile - Employees,PermitAccess
Max sessions policy passed
New accounting session created in Session cache
PEAP authentication succeeded
Prepared EAP-Success
Returned RADIUS Access-Accept
2 Replies 2

hslai
Cisco Employee
Cisco Employee

I would suggest to provide some limited access instead of DenyAccess, which results in Access-Reject. When an endpoint is not online, there is no point to check its compliant status.

Greg Gibbs
Cisco Employee
Cisco Employee

From the step data, it looks like the session is hitting the wrong AuthZ Profile. We would need to understand more about your AuthZ Policies, but I'm guessing this is because the MDM condition match is not hitting so the correct AuthZ Policy is not being matched.

Is there a difference between the working and non-working endpoints (e.g. Wired vs. Wireless connections, etc)?

Keep in mind that the ISE MDM API uses the endpoint MAC Address to query the MDM server. If this is a Wired connection, the MDM needs to have the Wired NIC MAC Address associated with the endpoint. This is further complicated by newer laptops not having built-in Wired NICs and instead using dongles.

For further troubleshooting, you can enabled the MDM-related debug logs, duplicate the issue, and have a look at the MDM request/response in the ise-psc.log. For more detailed troubleshooting, you might be best opening a TAC case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: