12-04-2018 10:19 AM - edited 03-11-2019 01:52 AM
Hi,
We have been running ISE 2.4 in distributed model. Recently we have added Airwatch MDM servers to ISE - connection status shows OK . I was sure that i will be able to check compliance or registration status of any device connecting to 802.1x enabled SSID (WPA2 enterprise). After couple of hours i realized that there is no correlation between 802.1x (Radius) queries and MDM HTTP calls as devices were not onboarded on ISE directly. They are on-boarded out-of-band communicating directly with Airwatch via GSM/LTE connection.
My question is: Is it possible to have such setup where devices are on-boarded independently on MDM and ISE can still check compliance status against of MDM server?
Solved! Go to Solution.
12-19-2018 12:30 PM
For those who are interested in of fix this problem. I got this fix from Cisco TAC. Apologies @Jason Kunst, but you haven’t provided any reasonable solution, I don’t get why you approved your help as "solution" as in my opinion it’s not.
Anyway. See fix of the problem:
Asumptions:
Solution:
See two AuthZ rules (one for each MDM server) which solved problem in my environment.
12-04-2018 11:29 AM
12-04-2018 02:32 PM
Hi Jason,
Do you mean Authorization rule? This is how my AuthZ rule looks like but it never has been matched. Two upper conditions are working properly if i remove two of the bottom related to MDM.
12-19-2018 12:30 PM
For those who are interested in of fix this problem. I got this fix from Cisco TAC. Apologies @Jason Kunst, but you haven’t provided any reasonable solution, I don’t get why you approved your help as "solution" as in my opinion it’s not.
Anyway. See fix of the problem:
Asumptions:
Solution:
See two AuthZ rules (one for each MDM server) which solved problem in my environment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide