cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

531
Views
0
Helpful
4
Replies
Beginner

MobileIron + ISE 1.2

Hi All,

I hope, that somebody can help me.

I'm trying to setup ISE with MobileIron in order to get MAC authentication bypass for corporate registered mobile devices.

I succesfuly set up connection between ISE and MobileIron. Authorization rule is set to

Wireless_MAB AND MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable with Authorization rule allow access.

However in reports I see, that the endpoint is not registered (but it really is in the MDM) and therefore the rule is not matched.

When I go to Administration -> Identities -> Endpoints and search for the devices I can see the following attributes:

DeviceRegistrationStatus                                 NotRegistered

MDMServerReachablefalse
MDMUpdateTime1385653308139
MatchedPolicyApple-Device

However when I go to MDM management and do a test connection, the connection is successfull.

I have allowed firewall comunications from all administration and policy nodes.

Thanks for any hints!

Regards

Karel

Everyone's tags (5)
4 REPLIES 4
Highlighted
Beginner

Karel,We have the same simple

Karel,

We have the same simple need.  No one at TAC seems to have a clue as to how to deal with mobile corporate assets.  We have no intention of registering these through ISE either. Like you, we have a good MDM connection and restful queries all respond with devices attributes that we want to use.

But ISE won't query the MDM correctly because the design is broken for corporate assets. The focus within the Cisco ISE group has been solely upon BYOD.

This is a simple fix I am sure. We just need to get it in front of the right people.

 

Highlighted
Beginner

Hi,we did a workaround. We

Hi,

we did a workaround. We set to propagate certificates from MDM to every onboarded device and set wlan profile.

Now they connect to single SSID with authorization rule for internet access only.

K.

Highlighted
Beginner

Dear Karel, Thanks for your

Dear Karel,

 

Thanks for your reply, glad you found a workaround.  So, if I understand correctly, you distribute your certs to the mobile devices from MobileIron and have an authorization rule that checks the cert with a result rule that allows Internet access.  Are you able to use any of the MDM attributes yet?

Such as;

MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable

We would like to use these MI attributes.

 

 

Highlighted
Beginner

Hi,yes, I'm able to use the

Hi,

yes, I'm able to use the attributes, but since then it's useless ... at least from our case of use.

I added also a rule which compares Calling-Station-ID to SAN of the client's certificate. The client's SAN is also provided by MobileIron during the certificate request.
 

K.