Paradigm shift in Business World

Transcription

1

2 Paradigm shift in Business World Private mobile device usage influences business world! Yesterday BYOD was trendy and fancy clear cut between private/business usage Today BYOD/CYOD simply is mobile device must take care of separation (sandbox/container)! Mobile devices will be part of the network, the question is when and not if! Be prepared 2

3 Don t just connect your mobile device, integrate it!

4 Successful designing and deploying Cisco's ISE 1.3/MDM integration Christoph Altherr, Security Systems Engineer

5 Session Abstract Cisco ISE 1.3 provides integration with several 3rd party MDM vendor. To fully unlock the power of this newly provided mobile device posturing capability, several things should be considered into account. As a quick start into this topic, the session uncovers given dependencies within ISE and surrounding network infrastructure. The second part of the session focusses on how to provide best possible MDM onboarding and quarantine user experience while not breaching security regulation. Session Level: Intermediate/Advanced Uncut (with hidden slides) pdf version:

6 Call to Action Visit the World of Solutions for Cisco Campus Walk in Labs Technical Solution Clinics Meet the Engineer Lunch time Table Topics DevNet zone related labs and sessions Recommended Reading: for reading material and further resources for this session, please visit 6

7 Cisco ISE Sessions: Building Blocks BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Wed 9:00am) BRKSEC-2132 What's new in ISE Active Directory connector (Wed 11:30am) Successfully Designing and Deploying Cisco s ISE 1.3/MDM Integration (Wed 2:30pm) BRKSEC-3699 Designing ISE for Scale & High Availability (Thu 9:00am) BRKSEC-2044 Building an Enterprise Access Control Architecture Using ISE & TrustSec (Tue 2:15pm) PSOSEC-2004 How ISE Helps in in an Increasingly Uncontrolled Environment (Tue 1:00pm) BRKSEC-2045 Mobile Devices and BYOD Security - Deployment and Best Practice (Tue 11:15am) BRKSEC-2203 Deploying TrustSec Security Group Tagging (Tue 11:15am) BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through (Fri 9:00am)

8 Other Complimentary Sessions BRKSEC-3033 Advanced AnyConnect Deployment and Troubleshooting with ASA (Fri 11:00am) BRKSEC-3053 Practical PKI for Remote Access VPN (Fri 9:00am) BRKSEC-3068 Red Team, Blue Team: Lessons Learned for Real World Attacks (Tue 2:15pm) BRKSEC-2138 Deploying an IPv6 Identity Network (Thu 2:30pm) LABSEC-2338 IBNS 2.0 (Advanced 802.1X) Lab (Wed 9:00am) BRKSEC-2136 Preventing Armageddon: Finding the Threat Before its Too Late (Wed 2:30pm)

9 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 9

10 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 13

11 Legacy Mobility Silos MDM misses tight network Integration Register with ISE for BYOD ISE Allow Internet Access Internet Register with MDM Allow Corp Access MDM Corporate Resources Goal: Ensure MDM compliance before allowing access to Corp resources 14

12 Enterprise Mobility Management EMM (aka MDM historically) Centralized Management Mobile Device Management (MDM) Mobile App Management (MAM) Mobile Information Management (MIM) 15

13 ISE and MDM home turf Network Enablement (ISE) Device Management (MDM) Classification/ Profiling Secure Unified Access (Wireless, Wired, VPN) Mobile + PC AUP Context-Aware Access Control (Role, Location, etc.) User <-> Device Ownership Registration Cert + Supplicant Provisioning Inventory Management Enterprise Software Distribution Management (Backup, Remote Wipe, etc.) Policy Compliance (Jailbreak, Pin Lock, etc.) Cost Management Secure Data Containers User Managed Device Network-Based IT Control User/IT Co-Managed Device Device and Network-Based IT Control 16

14 Cisco ISE MDM (EMM) Integration Solution Components 3 rd party MDM Cisco ISE 1 Mobile devices are discovered by Cisco ISE as they access network 2 Enrollment and posture assessment policy is applied 3 Cisco ISE queries MDM platform for posture information 4 Cisco ISE assigns network access level based on enrollment and posture results 17

15 Bridging the Mobile Device Gap Cisco ISE + 3 rd Party MDM + Integration + + = True context based who, where, when, how, and compliance Covers all Mobile Devices Secure Device, Apps and Information management Unified Access enforcement full-, partial-, quarantine-, or no network access 18

16 ISE MDM Integration Steps MDM integration consists of 3 main steps: 1 Integration Prerequisites 2 Add MDM Server 3 Configure ISE policies 19

17 MDM Integration The Big Picture! Cisco ISE Live Update Internet Proxy 2 3 ISE-MDM integration Prerequisites: WLAN ISE MDM 20

18 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 21

19 MDM Integration The Big Picture! Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 22

20 Cisco AirOS release Throughout this breakout session, the following controller releases are used: AirOS release is mainly used because of: Pre-Auth DNS-based ACL enhancement ios7 Captive Network Assistant (CNA) behavior change Stability improvements AirOS Alternative AirOS release, containing most ISE MDM Integration related features and stability improvements Missing Pre-Auth DNS-based ACL enhancement Therefore, the first proposed implementation option later in this deck: Pre-Auth DNS-based ACL isn t applicable A note to converged access controllers IOS-XE 3.3 adds URL-redirection functionality IOS-XE 3.6 adds FQDN ACLs 23

21 WLC URL Redirection Refresher Apple ios7 Captive Network Assistant (CNA) changes Redirect URL Redirect URL: For CWA, Client Provisioning, Posture, and MDM URL value returned from ISE as Cisco AV-pair RADIUS attribute Example: cisco:cisco-av-pair=url-redirect= sessionid=sessionidvalue&action=mdm Redirect- ACL Redirect ACL: Network Access Device must be locally configured with ACL that specifies traffic to be permitted or to bypass redirection ACL value returned as a named ACL on NAD Example: cisco:cisco-av-pair=url-redirect-acl=acl-mdm-quarantine-ios WLC Redirect ACL Conventions: Permit ACL entries define traffic to bypass redirection Deny ACL entries define traffic subject to redirection 26

22 WLC URL Redirection ACL Access to non-static IP resources Problem Statement: To register ios and Android devices for BYOD or MDM, they may require Internet access for either downloading supplicant software or for device validation from highly dynamic sources like itunes and Google Play. Same applies for MDM marked non-compliant devices. In contrast, WLC URL redirection ACL only offers static, IP-based rule definition. Workaround: (works also with older WLC versions, e.g ): a) Permit full Internet access, deny/redirect only internal IP address ranges b) Permit access to Apple and Google IP ranges, deny/redirect other traffic c) Fake DNS resolution Optional: Plus external DNS-based network access enforcement (ASA, WSA, or others) d) Out-of-band MDM onboarding, just do endpoint compliance checking Solution: WLC and later DNS based Pre-Auth ACL 27

23 WLC URL Redirection ACL Solution: WLC DNS based Pre-Auth ACL same IP-based rules for ACL-MDM-QUARANTINE-ANDROID Seq 1-4: Infrastructure rules (including DNS, MDM Portal (default 8443), and optional ICMP access) Seq 5: Permit outbound traffic Seq 6: Deny any traffic 34

24 WLC URL Redirection ACL (cont.) Solution: WLC DNS based Pre-Auth ACL Note: Allowed URL lists may need to be updated for your environment! 35

25 WLC URL Redirection ACL (cont.) Client AP WLC ISE MDM DNS 1 Starts EAP-TLS based authentication Enable DNS snooping on AP for URLs in ACL 1b Authentication Request Access-Accept ACL = ACL-MDM-QUARANTINE URL Redirect = ISE, MDM Portal 1a Device Status Query Device Status Response register_status = false 2a DNS query (assumption: host ISN T part of ACL URL List e.g: < 3a DNS response is forwarded as is to client URL Redirect to ISE (action=mdm) Enroll button points to MDM-Server s Client Redirect Page 2b DNS query for <MDM-Server>, which IS part of the ACL URL List Forward DNS response with only the 1st IP address resolved to client 1st IP address returned to WLC 3b Add IP address to allowed list Enroll button points to Redirect Page> 37

26 WLC DNS based Pre-Auth ACL For Your Reference Feature limitations: IPv6 address not supported Up to 10 Allowed URLs can be defined per ACL AP to AP roaming after client authentication is completed, the URLs to be snooped are not passed to the new AP Supports both, Local- and FlexConnect operation mode for central authentication 40

27 WLC DNS based Pre-Auth ACL AP Mode Support AP Mode Local, Mesh or FlexConnect (Central Switched) FlexConnect (Local Switched) Feature Support Yes Yes Description For Your Reference DNS snooping works and Cisco WLC is updated about the learned IP addresses to be allowed When pre-authentication ACL is received in Access Accept with the mapped URLs, the DNS snooping is enabled per client on the AP FlexConnect (Central Authentication) FlexConnect (Local Authentication) Yes No Works as expected Not Supported 41

28 Integration Prerequisite: ISE Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 42

29 Cisco ISE release Throughout this breakout session, the following ISE release is used: ISE 1.3 or ISE 1.2 Patch with latest patch (but min. patch 6 is recommended) MDM caching If device connects to network, ISE caches the MDM state Next time device attempts to log-on, ISE use the cache to allow access per previous MDM check Once the device is on the network, ISE checks with MDM using API call, if the MDM state has changed (e.g. compliant -> non-compliant) If the state has changed, ISE issues a COA to give a new policy (as per updated MDM attributes) A note to ISE 1.3 / 1.2 patches Patches are cumulative Patches posted roughly on a 4-6 weeks basis 43

30 Cisco ISE Licensing Release 1.3 MDM integration capabilities APEX PLUS BASE 44

31 Proxy-based Internet Access for ISE 1.3 Cisco ISE allows to automatically, scheduled and recurrently retrieve profiling- and posture check updates, as well as downloading latest client provisioning and posture software directly from Cisco locations. Administration > System > Settings > Proxy 46

32 Web Services Multi-Interface ISE 1.2 and before ISE 1.1 and before All web services supported on Management interface (eth0) only URL Redirection always used CN value of node certificate to populate redirect URL: ISE 1.2: All interfaces enabled for all web services by default Guest and Client Provisioning Portal is also used for MDM redirection (onboarding and non-compliant) 49

33 Web Services Multi-Interface ISE 1.3 Dedicated MDM Portal Provides dedicated MDM Portal with individual settings options Full-fledged Portal Page Customization Full language support integration Endpoint Identity Group selection including Endpoint Purge 50

34 Web Services Multi-Interface Services configured to use the same HTTPS Port must use the same interfaces ISE 1.3 Same HTTPS Port must use same certificate group tag Recommendation: Limit services to specific interface to simplify management and security policy Blacklist TCP/8444 (eth1) Guest/CPP TCP/8443 (eth1) My Devices TCP/8445 (eth2) Sponsor TCP/8446 (eth3) ISE

35 MDM URL Redirection Example DNS and Port Settings Single Interface Enabled for MDM Portal Redirection based on first service-enabled IF: If eth0, return host FQDN Else return interface IP If eth1 is the only IF enabled for MDM Portal ISE Node IP Address Interface ISE-PSN # eth0 ISE-PSN # eth1 ISE-PSN # eth2 ISE-PSN # eth3 e.g.: Redirect URL = 53

36 MDM URL Redirection Example (FQDN in SAN) URL Redirection uses first MDM Portal-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. User sends web request directly to User receives cert name mismatch warning Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Subject = ise-psn1.company.com SAN = ise-psn1.company.com sponsor.company.com mydevices.company.com 3 2 Access Device 4 RADIUS authorization: URL redirect = HTTPS response from Name Mismatch! Requested URL = Certificate SAN = ise-psn1.comany.com = sponsor.company.com = mydevices.company.com Switch MDM Portal eth1: MyDevices eth2: Sponsor eth3:

37 MDM Example with IP Address in SAN URL Redirection uses first MDM Portal-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. User sends web request directly to No cert warning received since SAN includes IP address Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Subject = ise-psn1.company.com SAN = ise-psn1.company.com sponsor.company.com mydevices.company.com 3 2 Access Device 4 RADIUS authorization: URL redirect = HTTPS response from Certificate OK! Requested URL = Certificate SAN = Requires Certificate Signing Request includes SAN attribute entry for each interface IP address used for URLredirected Web services 55 Switch MDM Portal eth1: MyDevices eth2: Sponsor eth3:

38 IP Address-Based URL Redirection Problem Statement: Any change to interface IP addressing (network relocation, vmotion, network infrastructure changes, etc.) requires new certificates to be generated with SAN attributes updated for new IP addresses Time-consuming process New certificates signed by 3rd-party CAs can be expensive Disruption to application services after new cert loaded Solution: Interface Alias: Optionally assign ISE node interface (eth1, eth2, eth3) a unique hostname/fqdn which can be resolved to its local IP address using DNS Each PSN tracks which interfaces are enabled for each service and dynamically substitutes IP variable for URL redirection to the PSNs local interface alias (hostname + domain) Considerations: Manual configuration process from CLI Requires DNS to be updates for each alias 56

39 Interface Alias Configuration Aliases assigned to interfaces using ip host global config command in ADE-OS: (config)# ip host <interface_ip_address> <hostname FQDN> <hostname FQDN> Up to two values can be specified hostname and/or FQDN If hostname specified, then globally configured <ip domain-name> appended for use in URL redirection Example: ise-psn1/admin(config)# ip host ise-psn1-guest ise-psn1-guest.company.com (eth1) Host entry for Gigabit Ethernet 0 (eth0) cannot be modified Use show run to view entries; Use no ip host <ip_address> to remove entry Change in interface IP address or alias requires application server restart For Your Reference 57

40 MDM Example using Interface Alias URL Redirection Uses First MDM Portal-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. DNS resolves alias FQDN ise-psn1-guest to and sends web request to No cert warning received since SAN contains interface alias FQDN Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Access Device Subject = ise-psn1.company.com SAN = ise-psn1.company.com ise-psn1-guest.company.com RADIUS authorization: URL redirect = HTTPS response from Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = ise-psn1-guest.company.com Switch MDM Portal eth1: MyDevices eth2: Sponsor eth3:

41 FQDN in SAN Problem Statement: Every ISE node requires a unique certificate New certificates signed by 3rd-party CAs can be expensive Time-consuming process to generate new certs each time new node added Certificate SAN must include FQDN entry for other web services (Sponsor, MDP, etc.) Some endpoints require each PSN cert to be trusted and will prompt user to accept Solution: Wildcard Certificates Allows multiple ISE nodes to share single certificate for Web/EAP authentication No longer requires custom SAN with node FQDN or interface IP addresses Most seamless and improved end-user experience Considerations: Less secure than unique certificate per node; greater care to safeguard private key Limit exposure and deploy ISE into subdomain; e.g. *.ise.company.com 60

42 NetworkWorld Blog from Aaron Woland What are Wildcard Certificates, and how do I use them with Cisco's ISE? For Your Reference Source: what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise 61

43 3 rd Party Cert Provider Support for Wildcard in SAN Cert / CA Provider Wildcard SAN Support? Comments ssl.com Yes Full support Digicert Yes Supports wildcard SAN plus option to add IP in SAN DNS label Comodo Yes Choose UC certificate option and select Tomcat software Entrust Yes / No Wildcard in the SAN with Entrust is not a standard UC Multidomain cert option. It is however available as part a special promotion and will take longer processing time Geotrust No Only supports SAN with UC certificates and SAN cost extra Verisign GoDaddy No No 63

44 3 rd Party Cert Provider Support for Wildcard in SAN Cert / CA Provider Wildcard SAN Support? Comments ssl.com Yes Full support Digicert Yes Supports wildcard SAN plus option to add IP in SAN DNS label Comodo Yes Choose UC certificate option and select Tomcat software Entrust Yes / No Wildcard in the SAN with Entrust is not a standard UC Multidomain cert option. It is however available as part a special promotion and will take longer processing time Geotrust No Only supports SAN with UC certificates and SAN cost extra Verisign GoDaddy No No 64

45 MDM Example using Alias & Wildcard in SAN URL Redirection Uses First MDM Port-Enabled Interface (eth1) 1. RADIUS Authentication requests sent to RADIUS Authorization received from with URL Redirect to 3. DNS resolves alias FQDN ise-psn1-guest to and sends web request to No cert warning received since SAN contains interface alias FQDN Admin/RADIUS: eth0: ISE-PSN1 PSN 1 RADIUS request to User ISE Certificate Subject = ise.company.com SAN = ise.company.com *.company.com 3 2 Access Device 4 RADIUS authorization: URL redirect = HTTPS response from Certificate OK! Requested URL = ise-psn1-guest.company.com Certificate SAN = *.company.com Switch MDM Portal eth1: MyDevices eth2: Sponsor eth3:

46 Web Services Multi-Interface Routing Challenge Key business driver for multi-interface support is traffic separation and assumption that traffic for one service that enters on interface X will return from the interface/network path. Problem Statement: Packets received on any ISE interface relies on CARS routing table to determine egress interface and next hop address Solution: Static routes for each endpoint subnet must be configured on each node using CLI to use the desired web service interface Source NAT to Web Portal interfaces and configure static route to NAT ed network Considerations: If NAT not used, then depending on network size and addressing complexity, may require hundreds of static routes to be configured very difficult to manage and maintain! Dedicated interface for Anchor Controller use case should not be impacted since client IP is local (L2 adjacent) to dedicated ISE interface in DMZ 68

47 Web Services Multi-Interface Summary First service enabled IF URL Redirection IP in SAN Interface Alias FQDN in SAN Wildcard Certificate Routing Standalone ISE Deployment eth0 not required not applicable not required (host FQDN returned) not required no changes required eth1 eth3 required OR use IF-Alias recommended unless IP in SAN used possible, requires IF-Alias definition possible, requires IF-Alias definition adjust static routes OR add SRC-NAT Distributed ISE Deployment eth0 not required not applicable not required (host FQDN returned) not required no changes required eth1 eth3 required OR use IF-Alias recommended unless IP in SAN used possible, requires IF-Alias definition recommended, requires IF-Alias definition adjust static routes OR add SRC-NAT 69

48 Integration Prerequisite: MDM Cisco ISE Live Update 2 3 Prerequisites: WLAN ISE MDM 70

49 3 rd Party MDM Vendor Support ISE 1.3 / ISE 1.2 Vendor Support Version 7.0 SP3 Version 6.2 Cisco MCMS v1.0 App Center v Version 7.1 Version 5.5 Version 13.2 Patch 5 Systems Manager Enterprise Version 2.3 Casper Suite Version X.Y 71

50 MDM Onboarding / Compliance Check Flow BYOD registered? BYOD Registration Internet Only MDM registered? MDM Onboarding MDM compliant? MDM non-compliant Access-Accept Note: Various other onboarding and compliance check flows feasible! 73

51 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 74

52 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration Overview ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 75

53 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 76

54 ISE MDM communication MDM HTTPS based XML API MDM server info (e.g. Meraki SME) Temporary replace ISE PSN by another device (use ISEs proxy settings, if any) and verify basic MDM Server connectivity, information and API credentials: API path for further calls (e.g: /ciscoise/) Meraki doesn t use instances, no need adding <Instance> before <api_path> Client redirection URL used for MDM registration Messaging API: Optional, enables ISE to send messages through MDM to end user mobile devices 77

55 ISE MDM communication Endpoint Status/Compliance Query Example Query endpoint status and compliance information example: All attributes retrieved and reachability determined by single API call for each new client session. Starting with ISE 1.2 P6: Endpoint immediately reconnect based on previous MDM API records. Only if post authorization lookup determines value changes, a CoA is sent Endpoint to be validated MDM registration status MDM compliance status Overall status (macro) Specific compliance checks (micro) Endpoint details provided by MDM (Manufacturer, Model, IMEI, Serial Number, OS Version, Phone Number) 79

56 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 81

57 Add MDM Server Add MDM Server certificate to ISE Trusted Certificates Path: Administration > System > Certificates > Trusted Certificates Note: If MDM server certificate is CA-signed, import root CA instead 82

58 Add MDM Server Add new MDM Server Path: Administration > Network Resources > External MDM Multiple MDM servers can be defined, only one can be active at any time Instance Name field is for multi-tenant MDMs User must have API rights on MDM Recommended same polling interval set on MDM Server (default = 240 minutes, 0 = disable) Caution: Aggressive polling can impact system load as ISE must collect status for all endpoints using API and trigger CoAs to all non-compliant devices Test Server reachability 84

59 ISE MDM Configuration For Your Reference ISE MDM configuration most common issues Connection Messages Connection Failed: Please check the connection parameters Connection Failed 404: Not Found Connection Failed 403: Forbidden Connection Failed 401: Unauthorized Connection Failed: There is a problem with the server certificate or ISE Trust store The MDM Server details are valid and the connectivity was successful Explanation A routing or firewall problem exists between the ISE located in the data center and the MDM located in either the DMZ or Cloud. The firewall's configuration should be checked to confirm HTTPS is allowed in this direction. The most likely cause of an HTML 404 error code is that an instance was configured when it was not required or that the wrong instance has been configured. The user account setup on the MDM server does not have the proper roles associated to it. Validate that the account being used by ISE is assigned the REST API MDM role. The user name or password is not correct for the account being used by ISE. ISE does not trust the certificate presented by the MDM website. This indicates the certificate was not imported to the ISE certificate store or the certificate has expired since it was imported. The connection has successfully been tested. The administrator should also verify the MDM AUTHZ dictionary has been populated with attributes. 85

60 Add MDM Server Review MDM Dictionaries Once the MDM server is added, the MDM and MDM_LOG dictionaries show-up on ISE, which could be later used in ISE Authorization Policies Path: Policy > Policy Elements > Dictionaries > System > MDM 86

61 ISE MDM Integration prerequisites (WLC, 3 rd Party MDM Server, Network Connectivity, ) ISE MDM Configuration ISE MDM Communication ISE MDM communication verification (API and MDM Server access rights testing) Add MDM Server certificate to ISE trusted Certificate Store Add new MDM Server Add MDM Server Review MDM Dictionaries Configure ISE Authentication Policy Configure Profiles and Policies Configure ISE Authorization Profiles Configure ISE Authorization Policy 88

62 Configure Profiles and Policies Configure ISE Authentication Policy Path: Policy > Authentication The sample authentication policy shown is representative for both, single SSID and dual SSID configuration with MAB and Dot1x 89

63 Configure Profiles and Policies Configure ISE Authentication Policy Path: Policy > Policy Elements > Results > Authorization > Authorization Profiles MDM redirect is a common task under Web Redirection Can use same MDM Redirect authorization profile for both: Registration with MDM Server Compliance and Remediation with MDM Server policy OR Use two different profiles for better visibility Redirect ACL must allow access to MDM Server, onboarding and remediation resources 90

64 Configure Profiles and Policies Configure ISE Authorization Policy Path: Policy > Authorization (Condition: MDM Attributes) MDM Server reachability Endpoint registration status Endpoint macro-level compliance status Endpoint micro-level compliance status (Disk Encryption-, Pinlock-, and Jail broken status) MDM attributes available for policy conditions (Manufacturer, Model, IMEI, Serial Number, OS Version, Phone Number) 91

65 Configure Profiles and Policies Configure ISE Authorization Policy cont. MDM Server reachability Best Practice: Include MDM Server reachability rule above other MDM rules to return fallback permission if MDM is down OR Include this condition to each rule that relies on MDM replay to complete Without MDM reachability rule, access may be blocked 92

66 Configure Profiles and Policies Configure ISE Authorization Policy cont. Path: Policy > Authorization 93

67 ISE MDM Integration Scalability Scalability = 30 API calls per second ( >100`000 calls/h) Consider Internet bandwidth and latency for cloud-based solutions Passive Reassessment Bulk recheck against MDM server using configurable timer (polling interval) If result of periodic recheck shows that a connected endpoint is no longer compliant, ISE sends a CoA to terminate session Survivability CoA is NOT sent for devices granted access while MDM server unavailable If device is granted a fail open or other limited access state (for example, URLredirected to MDM), user can hit Continue button when MDM is back online to trigger CoA 96

68 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 97

69 End-User Experience BYOD & MDM on-boarding (Video)

70 End-User Experience (BYOD & MDM on-boarding) 99

71 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 114

72 Tracking Devices, Logging & Reporting

73 Tracking Devices MyDevices Portal User can issue additional remote actions through the My Devices Portal ISE Endpoints Directory Remote Actions: Lost/Reinstate Stolen (+revoke cert.) PIN Lock Unenroll/Corp. Wipe Full Wipe Edit Description Delete/Remove device 116

74 ISE and WLC Session Logging ISE Live Auth Log Session Details WLC Monitor Client Details 118

75 MDM Reporting Authorization Conditions Definitions Path: Operations > ISE Reports > Endpoints and Users > Mobile Device Management 119

76 Troubleshooting

77 Selective Client Log Suppression Path: Administration > System > Logging > Collection Filters PSN static log collection filters Filter Messages based on Auth Result 122

78 Temporary Client Log Suppression Enhanced Suppression Filter handling Path: Operations > Authentications 123

79 Endpoint Debug Enhanced endpoint debugging Path: Operations > Authentications 124

80 Endpoint Debug Enhanced endpoint debugging (cont.) Path: Operations > Authentications 125

81 MDM DEBUG log collection 1. Set MDM debug level to DEBUG (Administration > System > Logging > Debug Log Configuration Select PSN node used for debugging 2. Examine the Component Names and flip these components' log level to DEBUG: mdm mdm-pip 3. Repeat steps above if more than one PSN is involved in debugging 126

82 MDM DEBUG log collection (cont.) 4. (Optional) During the tests, note date/time and session IDs 5. Gather generated log files and review debug messages ise-psc.log catalina.out iselocalstore.log 6. Revert log level changes made in step 2 (default = INFO) 127

83 View Log from Console (CLI or SSH) View list of available log files View new log entries in specific log file 128

84 NSLookup nslookup options: name-server querytype Specify Alternate name server to use Specify DNS record query type 129

85 Capture Console Logs from ios Devices For Your Reference Use iphone Configuration Utility Connect ios Device via cable Switch to Console Reproduce problem ios Troubleshooting: Push Notifications: ios Packet Tracing: 130

86 Capture Console Logs from Android Devices For Your Reference Android provides a mechanism for collecting and viewing system debug output known as LogCat Android Troubleshooting: Using DDMS: 131

87 Agenda ISE MDM Integration Overview Integration Prerequisites ISEs MDM Configuration End-User Experience Tracking, Logging, Reporting & Troubleshooting Wrap-Up & Closing 132

88 Closing Tight ISE and MDM Integration ISE Register with ISE for BYOD Allow Internet Access Internet Fetch MDM compliance status Register with MDM MDM Corporate Resources Goal reached: Tear-down the legacy silos! 133

89 Wrap-Up MDM integration consists of 3 main steps: 1 Integration Prerequisites 2 Add MDM Server 3 Configure ISE policies 134

90 Link For Your Reference Secure Access, TrustSec, and ISE Cisco ISE Design Guides - Integrating MDM with Cisco ISE Guides available for: AirWatch, Cisco MCMS, Fiberlink, MobileIron Cisco ISE MDM Partner Integration, At a Glance Lists current API capabilities per MDM vendor Cisco TrustSec and ISE Deployment Guides Cisco MCMS = Cisco Mobile Collaboration Services 135

91 Complete Your Online Session Evaluation Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt. All surveys can be completed via the Cisco Live Mobile App or the Communication Stations 138

92 Don t just connect your mobile device, INTEGRATE IT!

93