Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1464
Views
0
Helpful
0
Replies

MDM (AirWatch) Authorization Poilcy for ISE 2.3

paul46
Level 1
Level 1

‎04-05-2018 05:23 PM - edited ‎02-21-2020 10:52 AM

Hi Guys,

 

I have integrated AirWatch as an MDM server with ISE 2.3. 

 

The authentication is successful using EAP-TLS but authorization policy is not working. 

 

There is no requirement for BYOD. All the IOS devices are preregistered on Airwatch. If device register status is registered, the access is allowed if it is unregistered, it will be denied.

 

The below is my policy

 

1. IOS REGISTERED DEVICE if MDM:deviceregisteredstatus equals registered, allow Access

 

2. IOS PREAUTH if SSID=IOS then trigger PreAuthIOS authorization profile (this profile will return preauthIOS acl to Wireless controller to allow traffic to DNS, DHCP and to MDM server to check the status)

 

3. IOS UNREGISTERED DEVICE if MDM:deviceregisteredstatus equals unregistered, DenyAccess

 

-

 

Just connected my iPhone. It gets an IP Address and I can see WiFi symbol but cannot browse the Internet.

 

The FLOW - let me know your thoughts 

- Any new registered iPhone on Airwatch triggers the Preauth (2nd policy) and goes out to Internet to talk to only Airwatch to confirm the device register status

- ISE gets device register status and issues change of authorization (CoA) for endpoint and then it would trigger 1st policy if the status from MDM is registered but triggers 3rd policy if the status from MDM is unregistered

 

I do not think CoA is happening with my test iPhone.

 

Below are the RADIUS logs

Cisco Identity Services Engine

22037 Authentication Passed
  12506 EAP-TLS authentication succeeded
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Network Access.UseCase (2 times)
  15048 Queried PIP - Network Access.ISE Host Name
  15048 Queried PIP - MDM.DeviceRegisterStatus
  15016 Selected Authorization Profile - iOS-PreAuth
  22081 Max sessions policy passed
  22080 New accounting session created in Session cache
  11503 Prepared EAP-Success
  24432 Looking up user in Active Directory - TESTAD
  24355 LDAP fetch succeeded - company.com
  24416 User's Groups retrieval from Active Directory succeeded - TESTAD
  11002 Returned RADIUS Access-Accept

 

Although the test connection to MDM is successful. I think ISE is not making an API call to Airwatch at all.mdm error.png

The error from PSN is Identity Services Engine

External MDM Server Connection Failure. : Reason is Connection Failed to the MDM server host -

 

I have disabled proxy on ISE PAN and added firewall rule so ISE can directly talk to Airwatch. We don't see any drops on Firewall. 

 

The TAC case is already logged. As per Cisco, depending on the polling interval (default is 240 minutes) ISE fetch status of all devices from Airwatch stores under Identity database. Not sure about this.

 

When ISE makes an API call, who is the source? PAN or PSN?

 

-

 

It seems I have provided too much information? But let me know if you guys have worked with MDM or know any of the theory or concepts abut the flow.

 

Thanks.

 

 

 

 

 

 

 

 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents