cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7447
Views
15
Helpful
6
Replies

ISE integration with Mobile Device Management ( MDM ) help required

ARUNPRABHU A
Level 1
Level 1

Dear Techies,

     Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.

     We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.

Setup Brief :

=========

      Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory

     Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.

Activity Brief:

=========

     As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.

Clarifications Required

================

Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.

----------------------

Wireless Scenario

---------------------------

MDM can be integrated to ISE ? 

How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?

What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?

If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?

Is MDM will do client provisioning or ISE should do ?

Is MDM send or update patches of Mobile Devices ?

As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.

Thanks for Reading...

Arun

6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

Arun,

MDM can be integrated to ISE ?  Not yet, I havent heard anything official from Cisco, but there is rumors that this will be out in 1.2, you can contact your cisco account rep for confirmation

How the MDM can be integrated to Cisco ISE configuration or Guide to show the same? Same as above

What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ? The current 1.1.1 (MR) can only provision the supplicant on the mobile devices and generate certificates for eap-tls or set profile for peap authentication, it is not able to posture or provide any other management capability to the mobile devices.

If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ? Currently not a feature

Is MDM will do client provisioning or ISE should do ? ISE can do the client provisioning for mac osx, and windows machines not mobile devices

Is MDM send or update patches of Mobile Devices ? Depends on the MDM vendor you will have to check what their solutions offer.

To make a long story short and what I have heard and this is mostly speculation, in ISE 1.2 there is rumors of some mdm integration, i dont know if that is done through radius or some other means like an API, in order to integration ISE with MDM so that mobile devices can be fixed...i.e. rooted android devices or jailbroken apple-ios devices, I have seen some presentations from a vendor and they state that they can detect these vulnerabilities.

I hope this helps,

Tarik Admani
*Please rate helpful posts*

Thanks for having a look at my earlier post.

I would like to avail your valuable inputs to understand on the Client provisioning part for the Mobile Devices/ Laptop. I understand from your reply that MDM integration is not available in the current release ISE 1.1


Kindly let me know your views or any documents on the following scenarios with the current release in mind

1. User  with Mobile devices connecting to Wireless  ( both Employee and Guest ) , How the Flow differs for the Employee and Guest.  How the client provisioning is done ( i.e. Like Posturing  or Compliance Check ).

2. User  with Laptop  connecting to Wireless  ( both Employee and Guest ). How the client provisioning is done ( i.e. Like Posturing  or Compliance Check ).
3. What are advantages of having ISE also in place for Mobile devices, since most of the Mobile related tasks ( like Authentication, Authorization, Profiling and  Posture ) are carried out by MDM. I am checking for the significant advantage of having ISE for Client network having only Mobile devices. Kindly clarify.

4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?

5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?

6. We are also looking for VDI  ( Citrix, VMware ) solution for the client  ( both Employee and Guest ) , how ISE can play a role in securing the VDI environment.
7. Is that any integration required with Citrix or VMware. How the  VDI can be offered based on the User role ( i.e. Employee, Contractor or Guest ), since Guest database is available only with ISE, how the checks are made from the VDI environment.

Our solution demands  MDM in the integrated solution, As on today ISE cant be integrated with MDM. so what kind of solution we can propose to have MDM and Cisco ISE .Do the clients now enter the network should have already installed the MDM agent (or) any other way of pushing the same to the Client.

Thanks for reading

Regards,

Arun

I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.


Kindly let me know your views or any documents on the following scenarios with the current release in mind

1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).

The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.


2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).

Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.

3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.

Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.

4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?

For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.

There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group

5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?

This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2

You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html

6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.

For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.

7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.

IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.

Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.

Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hello is there any confirmation of ISE v1.2 integration with MDM and which specific vendors?

Early Q&A document says - Cisco is partnering with multiple MDM vendors AirWatch, Good Technology, MobileIron, and Zenprise.

Hello Pete,

these are the vendors who will be integrate with ISE 1.2 with MDM.

Anas Naqvi
Level 1
Level 1

Hi Arun,

Following link might be helpful,

http://www.youtube.com/watch?v=XiHClrhz2GY

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: