Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
3
Replies

MDM integration without device on-boarding

Go to solution
piotr.witkowski
Level 1
Level 1

‎12-04-2018 10:19 AM - edited ‎03-11-2019 01:52 AM

Hi,

 

We have been running ISE 2.4 in distributed model. Recently we have added Airwatch MDM servers to ISE - connection status shows OK . I was sure that i will be able to check compliance or registration status of any device connecting to 802.1x enabled SSID (WPA2 enterprise). After couple of hours i realized that there is no correlation between 802.1x (Radius) queries and MDM HTTP calls as devices were not onboarded on ISE directly. They are on-boarded out-of-band communicating directly with Airwatch via GSM/LTE connection.

 

My question is: Is it possible to have such setup where devices are on-boarded independently on MDM and ISE can still check compliance status against of MDM server?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
piotr.witkowski
Level 1
Level 1

‎12-19-2018 12:30 PM

For those who are interested in of fix this problem. I got this fix from Cisco TAC. Apologies @Jason Kunst, but you haven’t provided any reasonable solution, I don’t get why you approved your help as "solution" as in my opinion it’s not.

 

Anyway. See fix of the problem:

 

Asumptions:

  • We have two different MDM servers. Each keeps different mobiles resources. (geo location separation)
  • We dont want to perform device onboarding on ISE. MDM registration/enrollment is done via Out of Band (LTE)

Solution:

  • Authorization rules have to know which servers should be queried (I know it’s ridiculous as AuthZ rules should match but here they are also responsible for invoking proper MDM server)

See two AuthZ rules (one for each MDM server) which solved problem in my environment.

Untitled.png

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-04-2018 11:29 AM

You have to setup rules so that they are registered with mdm server in order for this to work

They can onboard oob but still need rules like you’re integrated
0 Helpful

Go to solution
piotr.witkowski
Level 1
Level 1
In response to Jason Kunst

‎12-04-2018 02:32 PM

Hi Jason,

 

Do you mean Authorization rule? This is how my AuthZ rule looks like but it never has been matched. Two upper conditions are working properly if i remove two of the bottom related to MDM.Untitled.png

 

 

 

0 Helpful

Go to solution
piotr.witkowski
Level 1
Level 1

‎12-19-2018 12:30 PM

For those who are interested in of fix this problem. I got this fix from Cisco TAC. Apologies @Jason Kunst, but you haven’t provided any reasonable solution, I don’t get why you approved your help as "solution" as in my opinion it’s not.

 

Anyway. See fix of the problem:

 

Asumptions:

  • We have two different MDM servers. Each keeps different mobiles resources. (geo location separation)
  • We dont want to perform device onboarding on ISE. MDM registration/enrollment is done via Out of Band (LTE)

Solution:

  • Authorization rules have to know which servers should be queried (I know it’s ridiculous as AuthZ rules should match but here they are also responsible for invoking proper MDM server)

See two AuthZ rules (one for each MDM server) which solved problem in my environment.

Untitled.png

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents