This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I hope, that somebody can help me.
I'm trying to setup ISE with MobileIron in order to get MAC authentication bypass for corporate registered mobile devices.
I succesfuly set up connection between ISE and MobileIron. Authorization rule is set to
Wireless_MAB AND MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable with Authorization rule allow access.
However in reports I see, that the endpoint is not registered (but it really is in the MDM) and therefore the rule is not matched.
When I go to Administration -> Identities -> Endpoints and search for the devices I can see the following attributes:
However when I go to MDM management and do a test connection, the connection is successfull.
I have allowed firewall comunications from all administration and policy nodes.
Thanks for any hints!
We have the same simple need. No one at TAC seems to have a clue as to how to deal with mobile corporate assets. We have no intention of registering these through ISE either. Like you, we have a good MDM connection and restful queries all respond with devices attributes that we want to use.
But ISE won't query the MDM correctly because the design is broken for corporate assets. The focus within the Cisco ISE group has been solely upon BYOD.
This is a simple fix I am sure. We just need to get it in front of the right people.
we did a workaround. We set to propagate certificates from MDM to every onboarded device and set wlan profile.
Now they connect to single SSID with authorization rule for internet access only.
Thanks for your reply, glad you found a workaround. So, if I understand correctly, you distribute your certs to the mobile devices from MobileIron and have an authorization rule that checks the cert with a result rule that allows Internet access. Are you able to use any of the MDM attributes yet?
MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable
We would like to use these MI attributes.
yes, I'm able to use the attributes, but since then it's useless ... at least from our case of use.
I added also a rule which compares Calling-Station-ID to SAN of the client's certificate. The client's SAN is also provided by MobileIron during the certificate request.