Hi Antonio,

Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:

• On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
• On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
• Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870

For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.

As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.

Related Info:

Wireless BYOD for FlexConnect Deployment Guide

Thank you very much for your answer Todd.

The link you provided seems to explain the problem I faced many times, but I can't see the real fix or workaround for this. Do I have to disable Radius Overwrite on all SSIDs and only enable it on the management? Will this work?

Also I forgot one question. I know that SCEP is used for validating identities and know how important this can be in a production environment. I have been installing ISE demos for some clients and sometimes it's difficult for them to configure this on a router or server. I have tried different things like putting it on a VM on my laptop and this definitely works. But I wanted to know if there is some way that you could "bypass" or not use SCEP or any certificate type?

Thank you once more.

As it stands right now, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.  This will allow the WLC to use the management interface as the source of all RADIUS packets including the CoA-Ack/Nak.  The ultimate "fix" will need to come as an enhancement to the WLC code.

BYOD proof-of-concepts can be a challenge on the SCEP front.  It isn't always easy to just spin up a licensed Server 2008 R2 SCEP machine and connect it to a customer's enterprise CA.  Can you expand on the BYOD flow that you would like to demonstrate to a customer?  You can certainly manually add BYOD demo devices to the ISE endpoint database using the My Devices Portal.  In ISE 1.2, doing so will update a new endpoint attribute flag called BYODRegistration which you could then use as a condition in your authZ policy.  If you can provide some additional color around what you would like to achieve, Eric and I can offer up some ideas. 

Thank you Todd, your answer certainly helped me with the SCEP process, the BYODRegistration flag was indeed updated and then was used in an authZ policy afterwards.

Glad to hear it worked for you.  As for your other question, you don't need to install the MDM API into ISE 1.2  Once you enable an MDM server for the first time, the related MDM conditions will become available for you to use in the authZ rules.  Matching an MDM condition is what triggers the API call to the configured MDM provider.  I am including a link to a sample MDM config doc from Cisco.com.  This one speaks to MobileIron but the process is similar for others.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/MobileIronISE.html

Hi John,

Your question raises a few considerations when planning for an ISE 1.2 deployment.

1. MDM vendors typically offers an advance certificate provisioning service that will free the BYOD solution operator from supporting an extra layer of complexity such as an extra MS SCEP server as Todd noted in the previous post.

2. If your enterprise has already implemented an MDM solution with existing defined business policies, the general recommendation is to integrate ISE AuthZ rules that checks MDM policies for access control.

3. There is an agent cost for all mobile devices managed by any MDM solution, so if there are wireless endpoints that do not require MDM features to help reduce costs, Cisco ISE policies based context may be sufficient to enforce policies for these devices.

4. Not all MDM providers will support Windows/MacOS/Linux in addition to Android/Apple iOS devices, this means context rules on Cisco ISE can bridge any gaps that is beyond the span of MDM features.

5. MDM offers a great solution to enforce application management on mobile devices; however in scenarios where app management is not applicable on wireless devices for example game consoles, irobot Ava 500; Cisco ISE provides a web-portal that enables end user for self-help.

When maximizing the benefits of integrating Cisco ISE with an existing MDM solution, one objective is to figure out how Cisco ISE can enforce contextual policies that maybe beyond the scope of the existing MDM features.

Hi John,

In addition to some of the points that Eric raised, I think the overall user interactive experience plays into the decision to use ISE vs. MDM for the certificate and wireless profile distribution.  For example, some environments may have very restricitve endpoint OS policies with strict control over what if any Java applications may be executed.  Because we use Java to execute some of our supplicant provisioning wizards, this may be an example of where the MDM and endpoint agent can be used to distribute some of the configuration.  Trying to stay on top of endpoint OS  features and functionality is a continuous process requiring a significant amount of testing in between release cycles.  We are always looking for ways to streamline the user experience to minize prompts and clicks but sometimes we are bound to what the endpoint OS will allow us to do.     

Hi Evan,

Cisco ISE 1.2 integrates to MDM  by establishing an HTTPS connection to the MDM provider's API. This implies that firewall rules and/or web proxy configurations on Cisco ISE enabled to allow web access to the MDM provider's API server. HTTPS connectivity from ISE to MDM requires a username that is  provisioned on  MDM  with API rights.  The username will be configured  on Cisco ISE to establish context inquiries to check policies.

In addition, because  ISE uses HTTPS for transport, the  MDM site certificate must be  imported into  ISE Certificate Repository to ensure connectivity.

Please Note: Specific MDM providers have successfully enabled API's that will integrate with Cisco ISE. These validated MDM partners are listed here:

http://tools.cisco.com/squish/9d3e5

To see an example of integrating Cisco ISE 1.2 to Airwatch, please reference the link below:

http://tools.cisco.com/squish/aA3Fd

The majority of the cloud-based MDM offerings use HTTPS to terminate API sessions.  Because of this, you will need to investigate what 3rd party CA the MDM provider is using on their cloud servers.  You can quickly validate this with a web browser.  Most browsers will allow you to export the CA certificates which you can then manually import into the ISE certificate store via Administration > System > Certificates.  In this design, the ISE policy node(s) will need to be able to communicate with Internet hosts on TCP 443 either directly or via proxy.  Once both of these initial tasks have been completed, you will add the MDM server to ISE via Administration > Network Resources > MDM.  This will enable MDM conditions such as

MDM:DeviceRegisterStatus and MDM:DeviceCompliantStatus that you can then apply to your authorization policies.  This last step is important as the API queries to the configured/enabled MDM server are triggered when an authorization policy with MDM condition(s) is matched. 

Cisco ISE 1.2 verifies MDM profiles using REST API services transported over HTTPS. What this means is that it does not matter if the MDM solution deployed as a cloud service or  on-premise solution, ISE 1.2  simply requires a web connection established from ISE 1.2 to check MDM for compliance context. The results of the MDM inquiry is provided back to ISE in a XML format that is consumed by ISE to trigger an administratively defined set of authorization rules.

The list of ISE 1.2  API's  where validated MDM partners have implemented can be found here:

http://tools.cisco.com/squish/1D7A7