Mobile pushes Black Friday Shopping

Transcription

1

2 Mobile pushes Black Friday Shopping How? Adding Wi-Fi to key stores Expanding mobile app offerings Optimizing Web sites for small screens Location based promotions Result? 24% of every online sales dollars occurred from mobile devices 118% increase in sales year-over-year from mobile devices Source: Adobe Digital Marketing Blog 2

3 Paradigm shift in Business World Private mobile device usage influences business world! Yesterday BYOD was trendy and fancy clear cut between private/business usage Today BYOD/CYOD simply is mobile device must take care of separation (sandbox/container)! Mobile devices will be part of the network, the question is when and not if! Be prepared 3

4 Don t just connect your mobile device, integrate it!

5 Successful designing and deploying Cisco s ISE 1.2/MDM integration Christoph Altherr, Systems Engineer Big THANK YOU to my session QA Managers: Ronny Guillaume Aaron Woland

6 Session Abstract Cisco ISE 1.2 provides integration with several 3rd party MDM vendor. To fully unlock the power of this newly provided mobile device posturing capability, several things should be considered into account. As a quick start into this topic, the session uncovers given dependencies within ISE and surrounding network infrastructure. The second part of the session focusses on how to provide best possible MDM onboarding and quarantine user experience while not breaching security regulation. Session Level: Advanced Uncut (with hidden slides) pdf version:

7 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 7

8 Cisco Live 2014 Related Session Reference BRKSEC-2692 Identity Based Networking: IEEE 802.1X and Beyond Hariprasad Holla, Cisco Technical Marketing Engineer BRKSEC-3698 Advanced ISE and Secure Access Deployment Aaron Woland, Cisco Technical Marketing Engineer BRKSEC-2044 Building an Enterprise Access Control Architecture with ISE Craig Hyps, Senior Technical Marketing Engineer BRKSEC-2203 Deploying TrustSec Security Group Tagging Kevin Regan, Cisco Product Manager BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through Darrin Miller, Cisco Distinguished Engineer BRKSEC-2045 Mobile Devices and BYOD Security - Deployment and Best Practices Sylvain Levesque, Consulting Systems Engineer Adv X Topics Adv. ISE Topics TrustSec (SGA) BYOD MDM Mobile BRKEWN-2020 Wireless LAN Security, Policy and BYOD Best Practices Device Federico Ziliotto, Senior Systems Engineer Security PSOSEC-2001 BYOD: Management and Control for the Use and Provisioning of Mobile Devices Russell Rice, Director of Product Management 8

9 Cisco Live 2014 Call to Action Visit the Cisco Campus at the World of Solutions to experience the following demos/solutions in action: Cisco Secure Access with ISE, TrustSec in the Data Center TrustSec in the Campus and Branch, TrustSec Threat Mitigation Meet the Engineer Craig Hyps, Aaron Woland, Kevin Regan, Darrin Miller Discuss your project challenges at the Technical Solutions Clinics Lunch Time Table Topics, held in main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 9

10 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 13

11 Cisco ISE MDM Integration Solution Components 3rd party MDM 1 Mobile devices are discovered by Cisco ISE as they access network 2 Enrollment and posture assessment policy is applied 3 Cisco ISE queries MDM platform for posture information 4 Cisco ISE assigns network access level based on enrollment and posture results Cisco ISE 14

12 Mobile Device Management Centralized Management MDM Secure and Manage Mobile Devices Manage Mobile Apps Secure Content Distribution 15

13 ISE and MDM home turf NETWORK ENABLEMENT (ISE) FULL MANAGEMENT (MDM) Classification/ Profiling Secure Unified Access (Wireless, Wired, VPN) Mobile + PC AUP Context-Aware Access Control (Role, Location, etc.) User <-> Device Ownership Registration Cert + Supplicant Provisioning Inventory Management Enterprise Software Distribution Management (Backup, Remote Wipe, etc.) Policy Compliance (Jailbreak, Pin Lock, etc.) Cost Management Secure Data Containers User Managed Device Network-Based IT Control User/IT Co-Managed Device Device and Network-Based IT Control 16

14 Bridging the Mobile Device Gap Cisco ISE + 3 rd Party MDM + Integration + + = True context based who, where, when, how, and compliance Covers all Mobile Devices Secure Device, Apps and Mobile management Unified Access enforcement full-, partial-, quarantine-, or no network access 17

15 ISE MDM Integration Steps MDM integration consists of 3 main steps: 1 Integration Prerequisites 2 Add MDM Server 3 Configure ISE policies 18

16 MDM Integration The Big Picture! Cisco ISE Live Update Internet Proxy 2 3 ISE-MDM integration Prerequisites: WLAN ISE MDM 19

17 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 20

18 Integration Prerequisite: WLAN Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 21

19 Cisco AirOS release Throughout this breakout session, the following controller releases are used: AirOS release is mainly used because of: Pre-Auth DNS-based ACL enhancement ios7 Captive Network Assistant (CNA) behavior change Stability improvements AirOS Alternative AirOS release, containing most ISE MDM Integration related features and stability improvements Missing Pre-Auth DNS-based ACL enhancement Therefore, the first proposed implementation option later in this deck: Pre-Auth DNS-based ACL isn t applicable A note to converged access controllers IOS-XE 3.3 contains the URL-redirection functionality Pre-Auth DNS-based ACL functionality still is roadmap item 22

20 WLC URL Redirection Refresher Redirect URL Redirect URL: For CWA, Client Provisioning, Posture, and MDM URL value returned from ISE as Cisco AV-pair RADIUS attribute Example: cisco:cisco-av-pair=url-redirect= sessionid=sessionidvalue&action=mdm Redirect- ACL Redirect ACL: Network Access Device must be locally configured with ACL that specifies traffic to be permitted or to bypass redirection ACL value returned as a named ACL on NAD Example: cisco:cisco-av-pair=url-redirect-acl=acl-mdm-quarantine-ios WLC Redirect ACL Conventions: Permit ACL entries define traffic to bypass redirection Deny ACL entries define traffic subject to redirection 25

21 WLC URL Redirection ACL Problem Statement: To register ios and Android devices for BYOD or MDM, they may require Internet access for either downloading supplicant software or for device validation from highly dynamic sources like itunes and Google Play. Same applies for MDM marked non-compliant devices. In contrast, WLC URL redirection ACL only offers static, IP-based rule definition. Workarounds (works also with older WLC versions, e.g ): a) Permit full Internet access, deny/redirect only internal IP address ranges b) Permit access to Apple and Google IP ranges, deny/redirect other traffic c) Fake DNS resolution Optional: Plus external DNS-based network access enforcement (ASA, WSA, or others) d) Out-of-band MDM onboarding, just do endpoint compliance checking Solution: WLC DNS based Pre-Auth ACL 26

22 WLC URL Redirection ACL cont. Solution: WLC DNS based Pre-Auth ACL same IP-based rules for ACL-MDM-QUARANTINE-ANDROID Seq 1-4: Infrastructure rules (including DNS, Guest & Client Provisioning Portal (default 8443), and optional ICMP access) Seq 5: Permit outbound traffic Seq 6: Deny any traffic 33

23 WLC URL Redirection ACL cont. Solution: WLC DNS based Pre-Auth ACL Note: Allowed URL lists may need to be updated for your environment! 34

24 WLC DNS based Pre-Auth ACL Client AP WLC ISE MDM DNS 1 Starts EAP-TLS based authentication Enable DNS snooping on AP for URLs in ACL 1b Authentication Request Access-Accept ACL = ACL-MDM-QUARANTINE URL Redirect = ISE, MDM Portal 1a Device Status Query Device Status Response register_status = false 2a DNS query (assumption: host ISN T part of ACL URL List e.g: < 3a DNS response is forwarded as is to client URL Redirect to ISE (action=mdm) Enroll button points to MDM-Server s Client Redirect Page 2b DNS query for <MDM-Server>, which IS part of the ACL URL List Forward DNS response with only the 1st IP address resolved to client 1st IP address returned to WLC 3b Add IP address to allowed list Enroll button points to Redirect Page> 35

25 WLC DNS based Pre-Auth ACL For Your Reference Feature limitations: IPv6 address not supported Up to 10 Allowed URLs can be defined per ACL AP to AP roaming after client authentication is completed, the URLs to be snooped are not passed to the new AP Supports both, Local- and Flexconnect operation mode for central authentication 38

26 Integration Prerequisite: ISE Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 40

27 Cisco ISE release Throughout this breakout session, the following ISE release is used: ISE 1.2 Patch 5 (or later) is mainly used because of: (p3) Fixes an MDM API issue introduced in patch 2 with MobileIron (p3) MDM performance improvements Relay on cached MDM information for policy evaluation and update endpoint info in separate thread. If MDM attributes returned differs from cached ones, update cache and fire CoA. Reason: Remove MDM API call from time-critical path (p5) ISE MDM Portal Cross-Site Scripting Vulnerability A note to ISE 1.2 patches Patches are cumulative ISE 1.2 patches posted roughly on a monthly basis 41

28 Proxy-based Internet Access for ISE Cisco ISE allows to automatically, scheduled and recurrently retrieve profiling- and posture check updates, as well as downloading latest client provisioning and posture software directly from Cisco locations. Problem Statement: If your network requires a proxy server accessing Internet, you may need to configure proxy settings in ISE. If proxy settings are enabled, it also impacts and redirects ISE-to-MDM communication to proxy, because ISE can t bypass proxy services for MDM communication. Solution/Workaround: Allow ISE-to-MDM traffic via proxy server path Forward ISE traffic to internal proxy, split-off MDM traffic locally and pass external traffic towards Internet (or 2nd proxy in DMZ) Allow ISE accessing Internet directly without proxy Considerations: Some old ISE documentation or guides (e.g. ISE Online Help!) describes a "Bypass Proxy Settings" option. It's a documentation bug and not available in current ISE release. 43

29 Proxy-based Internet Access for ISE Configure ISE Proxy Settings Administration > System > Settings - Proxy 44

30 Web Services Multi-Interface Before ISE 1.2 All web services supported on Management interface (eth0) only URL Redirection always used CN value of node certificate to populate redirect URL: With ISE 1.2: All interfaces enabled for all web services by default Guest and Client Provisioning Portal is also used for MDM redirection (onboarding and non-compliant) 45

31 Web Services Multi-Interface Services configured to use the same HTTPS Port must use the same interfaces Recommendation: Limit services to specific interface to simplify management and security policy Blacklist TCP/8444 (eth1) Guest/CPP TCP/8443 (eth1) My Devices TCP/8445 (eth2) Sponsor TCP/8446 (eth3) 46

32 MDM URL Redirection Example DNS and Port Settings Single Interface Enabled for Guest/CPP Redirection based on first service-enabled IF: If eth0, return host FQDN Else return interface IP Only eth1 enabled for Guest/CPP ISE Node IP Address Interface ISE-PSN # eth0 ISE-PSN # eth1 ISE-PSN # eth2 ISE-PSN # eth3 e.g.: Redirect URL = 47

33 MDM URL Redirection Example (FQDN in SAN) URL Redirection uses first Guest-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. User sends web request directly to User receives cert name mismatch warning Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Subject = ise-psn1.company.com SAN = ise-psn1.company.com sponsor.company.com mydevices.company.com 3 2 Access Device 4 RADIUS authorization: URL redirect = HTTPS response from Name Mismatch! Requested URL = Certificate SAN = ise-psn1.comany.com = sponsor.company.com = mydevices.company.com Switch Guest eth1: MyDevices eth2: Sponsor eth3:

34 IP Address-Based URL Redirection Problem Statement: Any change to interface IP addressing (network relocation, vmotion, network infrastructure changes, etc.) requires new certificates to be generated with SAN attributes updated for new IP addresses Time-consuming process New certificates signed by 3rd-party CAs can be expensive Disruption to application services after new cert loaded Solution: Interface Alias: Optionally assign ISE node interface (eth1, eth2, eth3) a unique hostname/fqdn which can be resolved to its local IP address using DNS Each PSN tracks which interfaces are enabled for each service and dynamically substitutes IP variable for URL redirection to the PSNs local interface alias (hostname + domain) Considerations: Manual configuration process from CLI Requires DNS to be updates for each alias 50

35 Interface Alias Configuration For Your Reference Aliases assigned to interfaces using ip host global config command in ADE-OS: (config)# ip host <interface_ip_address> <hostname FQDN> <hostname FQDN> Up to two values can be specified hostname and/or FQDN If hostname specified, then globally configured <ip domain-name> appended for use in URL redirection Example: ise-psn1/admin(config)# ip host ise-psn1-guest ise-psn1-guest.company.com (eth1) Host entry for Gigabit Ethernet 0 (eth0) cannot be modified Use show run to view entries; Use no ip host <ip_address> to remove entry Change in interface IP address or alias requires application server restart 51

36 MDM Example using Interface Alias URL Redirection Uses First Guest-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. DNS resolves alias FQDN ise-psn1-guest to and sends web request to No cert warning received since SAN contains interface alias FQDN Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Access Device Subject = ise-psn1.company.com SAN = ise-psn1.company.com ise-psn1-guest.company.com RADIUS authorization: URL redirect = HTTPS response from Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = ise-psn1-guest.company.com Switch Guest eth1: MyDevices eth2: Sponsor eth3:

37 FQDN in SAN Problem Statement: Every ISE node requires a unique certificate New certificates signed by 3rd-party CAs can be expensive Time-consuming process to generate new certs each time new node added Certificate SAN must include FQDN entry for other web services (Sponsor, MDP, etc.) Some endpoints require each PSN cert to be trusted and will prompt user to accept Solution: Wildcard Certificates Allows multiple ISE nodes to share single certificate for Web/EAP authentication No longer requires custom SAN with node FQDN or interface IP addresses Most seamless and improved end-user experience Considerations: Less secure than unique certificate per node; greater care to safeguard private key Limit exposure and deploy ISE into subdomain; e.g. *.ise.company.com 54

38 NetworkWorld Blog from Aaron Woland What are Wildcard Certificates, and how do I use them with Cisco's ISE? For Your Reference Source: what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise 55

39 3 rd Party Cert Provider Support for Wildcard in SAN Cert/ CA Provider Wildcard SAN Support? Comments ssl.com Yes Full support Digicert Yes Supports wildcard SAN plus option to add IP in SAN DNS label Comodo Yes Choose UC certificate option and select Tomcat software Entrust Yes/No Wildcard in the SAN with Entrust is not a standard UC Multidomain cert option. It is however available as part a special promotion and will take longer processing time Geotrust No Only supports SAN with UC certificates and SAN cost extra Verisign No GoDaddy No 57

40 MDM Example using Alias & Wildcard in SAN URL Redirection Uses First Guest-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. DNS resolves alias FQDN ise-psn1-guest to and sends web request to No cert warning received since SAN contains interface alias FQDN Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Subject = ise.company.com SAN = ise.company.com *.company.com 3 2 Access Device 4 RADIUS authorization: URL redirect = HTTPS response from Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = *.company.com Switch Guest eth1: MyDevices eth2: Sponsor eth3:

41 Web Services Multi-Interface Routing Challenge Key business driver for multi-interface support is traffic separation and assumption that traffic for one service that enters on interface X will return from the interface/network path. Problem Statement: Packets received on any ISE interface relies on CARS routing table to determine egress interface and next hop address Solution: Static routes for each endpoint subnet must be configured on each node using CLI to use the desired web service interface Source NAT to Web Portal interfaces and configure static route to NAT ed network Considerations: If NAT not used, then depending on network size and addressing complexity, may require hundreds of static routes to be configured very difficult to manage and maintain! Dedicated interface for Anchor Controller use case should not be impacted since client IP is local (L2 adjacent) to dedicated ISE interface in DMZ 61

42 Web Services Multi-Interface Summary For Your Reference First service enabled IF URL Redirection IP in SAN Interface Alias FQDN in SAN Wildcard Certificate Routing Standalone ISE Deployment eth0 not required not applicable not required (host FQDN returned) not required no changes required eth1 eth3 required OR use IF Alias recommended unless IP in SAN used possible, requires IF Alias definition possible, requires IF Alias definition adjust static routes OR add Src-NAT Distributed ISE Deployment eth0 not required not applicable not required (host FQDN returned) not required no changes required eth1 eth3 required OR use IF Alias recommended unless IP in SAN used possible, requires IF Alias definition recommended, requires IF Alias definition adjust static routes OR add Src-NAT 62

43 Integration Prerequisite: MDM Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 63

44 3 rd Party MDM Vendor Support ISE 1.2 Vendor Support Version 6.2 Cisco MCMS v1.0 Version 7.0 SP3 Version 7.1 Version 5.5 App Center v Endpoint Manager for Mobile Devices v2.2 Version 2.3 Version 13.2 Patch 5 64

45 MDM Onboarding/Compliance Check Flow BYOD registered? BYOD Registration Internet Only MDM registered? MDM Onboarding MDM compliant? MDM non-compliant Access-Accept Note: Various other onboarding and compliance check flows feasible! 65

46 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 66

47 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration Overview ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 67

48 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 68

49 ISE MDM communication MDM HTTPS based XML API MDM server info Temporary replace ISE PSN by another device (use ISEs proxy settings, if any) and verify basic MDM Server connectivity, information and API credentials: API path for further calls (e.g: /ciscoise/mdm/api) If MDM instance used, insert name before <api_path>: Client redirection URL used for MDM registration Messaging API: Optional, enables ISE to send messages through MDM to end user mobile devices 69

50 ISE MDM communication Endpoint Status/Compliance Query Example Query endpoint status and compliance information example: All attributes retrieved and reachability determined by single API call for each new client session. Starting with Patch 3: Endpoint immediately reconnect based on previous MDM API records. Only if post authorization lookup determines value changes, a CoA is sent Endpoint to be validated MDM registration status MDM compliance status Overall status (macro) Specific compliance checks (micro) Endpoint details provided by MDM (Manufacturer, Model, IMEI, Serial Number, OS Version, Phone Number) 70

51 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 72

52 Add MDM Server Add MDM Server certificate to ISE trusted Certificate Store Path: Administration > System > Certificates; Certificate Store Note: If MDM server certificate is CA-signed, import root CA instead 73

53 Add MDM Server Add new MDM Server Path: Administration > Network Resources > MDM; External MDM Servers Multiple MDM servers can be defined, only one can be active at any time Instance Name field is for multi-tenant MDMs User must have API rights on MDM Recommended same polling interval set on MDM Server (default = 240 minutes, 0 = disable) Caution: Aggressive polling can impact system load as ISE must collect status for all endpoints using API and trigger CoAs to all non-compliant devices Test Server reachability 74

54 ISE MDM Configuration ISE MDM configuration most common issues For Your Reference Connection Messages Connection Failed: Please check the connection parameters Connection Failed 404: Not Found Connection Failed 403: Forbidden Connection Failed 401: Unauthorized Connection Failed: There is a problem with the server certificate or ISE Trust store. The MDM Server details are valid and the connectivity was successful. Explanation A routing or firewall problem exists between the ISE located in the data center and the MDM located in either the DMZ or Cloud. The firewall's configuration should be checked to confirm HTTPS is allowed in this direction. The most likely cause of an HTML 404 error code is that an instance was configured when it was not required or that the wrong instance has been configured. The user account setup on the MDM server does not have the proper roles associated to it. Validate that the account being used by ISE is assigned the REST API MDM role. The user name or password is not correct for the account being used by ISE. ISE does not trust the certificate presented by the MDM website. This indicates the certificate was not imported to the ISE certificate store or the certificate has expired since it was imported. The connection has successfully been tested. The administrator should also verify the MDM AUTHZ dictionary has been populated with attributes. 75

55 Add MDM Server Review MDM Dictionaries Path: Policy > Policy Elements > Dictionaries; System > MDM Once the MDM server is added, the MDM and MDM_LOG dictionaries show-up on ISE, which could be later used in ISE Authorization Policies 76

56 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 77

57 Configure Profiles and Policies Configure ISE Authentication Policy Path: Policy > Authentication The sample authentication policy shown is representative for both, single SSID and dual SSID configuration with MAB and Dot1x 78

58 Configure Profiles and Policies Configure ISE Authorization Profiles Path: Policy > Policy Elements > Results; Authorization > Authorization Profiles MDM redirect is a common task under Web Redirection Can use same MDM Redirect authorization profile for both: Registration with MDM Server Compliance and Remediation with MDM Server policy OR Use two different profiles for better visibility Redirect ACL must allow access to MDM Server, onboarding and remediation resources 79

59 Configure Profiles and Policies Configure ISE Authorization Policy Path: Policy > Authorization (MDM Attributes) MDM Server reachability Endpoint registration status Endpoint macro-level compliance status Endpoint micro-level compliance status (Disk Encryption-, Pinlock-, and Jail broken status) MDM attributes available for policy conditions (Manufacturer, Model, IMEI, Serial Number, OS Version, Phone Number) 80

60 Configure Profiles and Policies Configure ISE Authorization Policy cont. Path: Policy > Authorization (MDM Attributes) MDM Server reachability Best Practice: Include MDM Server reachability rule above other MDM rules to return fallback permission if MDM is down OR Include this condition to each rule that relies on MDM replay to complete Without MDM reachability rule, access may be blocked 81

61 Configure Profiles and Policies Configure ISE Authorization Policy cont. Path: Policy > Authorization 82

62 ISE MDM Integration Scalability Scalability = 30 API calls per second ( >100`000 calls/h) Consider Internet bandwidth and latency for cloud-based solutions Passive Reassessment Bulk recheck against MDM server using configurable timer (polling interval) If result of periodic recheck shows that a connected endpoint is no longer compliant, ISE sends a CoA to terminate session Survivability CoA is NOT sent for devices granted access while MDM server unavailable If device is granted a fail open or other limited access state (for example, URL-redirected to MDM), user can hit Continue button when MDM is back online to trigger CoA 85

63 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 86

64 End-User Experience BYOD & MDM on-boarding

65 End-User Experience (BYOD & MDM on-boarding) 88

66 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 103

67 Tracking Devices, Logging and Reporting

68 ISE 1.2 Tracking Devices User can issue additional remote actions through the My Devices Portal ISE Endpoints Directory Remote Actions: Edit Description Reinstate Mark it lost Delete/Remove device Full Wipe Corporate Wipe PIN lock 105

69 ISE 1.2 Logging ISE Live Auth Log Session Details WLC Monitor Client Details 106

70 ISE 1.2 Reporting MDM Report Operations > ISE Reports > Endpoints and Users Mobile Device Management 107

71 Troubleshooting

72 ISE 1.2 Selective Client Log Suppression Administration > System > Logging > Collection Filters PSN static log collection filters Filter Messages based on Auth Result 110

73 MDM DEBUG log collection 1. Set MDM debug level to DEBUG (Administration > System > Logging > Debug Log Configuration Select PSN node used for debugging 2. Examine the Component Names and flip these components' log level to DEBUG: mdm mdm-pip 3. Repeat steps above if more than one PSN is involved in debugging 111

74 MDM DEBUG log collection cont. 4. (Optional) During the tests, note date/time and session IDs 5. Gather generated log files and review debug messages iselocalstore.log ise-psc.log catalina.out 6. Revert log level changes made in step 2 (default = INFO) 112

75 ISE 1.2 View Log from Console (CLI or SSH) View list of available log files View new log entries in specific log file 113

76 Capture Console Logs from ios Devices For Your Reference Use iphone Configuration Utility Connect ios Device via cable Switch to Console Reproduce problem ios Troubleshooting: Push Notifications: ios Packet Tracing: 114

77 Capture Console Logs from Android Devices For Your Reference Android provides a mechanism for collecting and viewing system debug output known as LogCat Android Troubleshooting: Using DDMS: 115

78 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Closing & Wrap-Up 116

79 Closing + + = Regardless of its type, every new device is WLAN enabled! 117

80 Wrap-Up MDM integration consists of 3 steps: 1 Integration Prerequisites 2 Add MDM Server 3 Configure ISE policies 118

81 Links For Your Reference Secure Access, TrustSec, and ISE Cisco ISE Design Guides - Integrating MDM with Cisco ISE Guides available for: AirWatch, Cisco MCMS, Fiberlink, MobileIron Cisco ISE MDM Partner Integration, At a Glance Lists current API capabilities per MDM vendor Cisco TrustSec and ISE Deployment Guides Cisco MCMS = Cisco Mobile Collaboration Services 119

82 Complete Your Online Session Evaluation Complete your session Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 122

83 Don t just connect your mobile device, integrate it!

84