Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•PhoneNumber Supported MDM Servers SupportedMDMserversincludeproductsfromthefollowingvendors: •Airwatch,Inc. •GoodTechnology •MobileIron,Inc. •Zenprise,Inc. •SAPAfaria •Fiberlink/IBMMaaS •Meraki Ports Used by the MDM Server ThefollowingtableliststheportsthatmustbeopenbetweentheCiscoISEandtheMDMservertoenable themtocommunicatewitheachother.RefertotheMDMServerDocumentationforalistofportsthatmust beopenontheMDMagentandserver. Table 13: Ports Used by the MDM Server PortsMDM Server 443MobileIron 443Zenprise 19005Good 443Airwatch 443Afaria 443FiberlinkMaaS 443Meraki 80and443MicrosoftIntune 80and443MicrosoftSCCM Cisco Identity Services Engine Administrator Guide, Release 1.3 185 Mobile Device Manager Interoperability with Cisco ISE
MDM Dictionary Attributes AfteryouaddtheMDMserverdefinitioninCiscoISE,theMDMdictionaryattributesareavailableinCisco ISEthatyoucanuseinauthorizationpolicies.Youcanviewthedictionaryattributesthatareavailablefor useinauthorizationpolicies. WhenyouareusingtheseMDMdictionaryattributesinpolicies,youcannotdeletetheMDMserver configurationfromCiscoISE.ToremovetheMDMserverconfiguration,youmustfirstremovetheMDM dictionaryattributesfrompolicies,andthenremovetheMDMserverfromCiscoISE. MDM Integration Process Flow ThissectiondescribestheMDMintegrationprocess: 1TheuserassociatesadevicetoSSID. 2CiscoISEmakesanAPIcalltotheMDMserver. 3ThisAPIcallreturnsalistofdevicesforthisuserandtheposturestatusforthedevices. TheinputparameteristheMACaddressoftheendpointdevice.Foroff-premiseAppleiOSdevices,this istheUDID. Note 4CiscoISEusesMDMtoprovisionthedeviceandpresentsanappropriatepagefortheusertoregisterthe device. 5TheuserregistersthedeviceintheMDMserver,andtheMDMserverredirectstherequesttoCiscoISE (throughautomaticredirectionormanualbrowserrefresh). 6CiscoISEqueriestheMDMserveragainfortheposturestatus. 7Iftheuser’sdeviceisnotcomplianttotheposture(compliance)policiesconfiguredontheMDMserver, theuserisnotifiedthatthedeviceisoutofcomplianceandmustbecompliant. 8Aftertheuser’sdevicebecomescompliant,theMDMserverupdatesthedevicestateinitsinternaltables. 9Iftheuserrefreshesthebrowsernow,thecontrolistransferredbacktoCiscoISE. 10CiscoISEpollstheMDMserveronceeveryfourhourstogetcomplianceinformationandissuesChange ofAuthorization(CoA)appropriately.Thiscanbeconfiguredbytheadministrator.CiscoISEalsochecks theMDMserverevery5minutestomakesurethatitisavailable. ThefollowingfigureillustratestheMDMprocessflow. Cisco Identity Services Engine Administrator Guide, Release 1.3 186 Mobile Device Manager Interoperability with Cisco ISE
Set Up MDM Servers With Cisco ISE TosetupMDMserverswithCiscoISE,youmustperformthefollowinghigh-leveltasks: Procedure Step 1ImportMDMservercertificateintoCiscoISE. Step 2Createmobiledevicemanagerdefinitions. Step 3ConfigureACLsontheWirelessLANControllers. Step 4Configureauthorizationprofileforredirectingnon-registereddevices. Step 5ConfigureauthorizationpolicyrulesfortheMDMusecases. Import MDM Server Certificate into Cisco ISE ForCiscoISEtoconnectwiththeMDMserver,youmustimporttheMDMservercertificateintotheCisco ISECertificateStore.IfyourMDMserverhasaCA-signedcertificate,youmustimporttherootCAintothe CiscoISECertificateStore. Procedure Step 1ExporttheMDMservercertificatefromyourMDMserverandsaveitonyourlocalmachine. Step 2ChooseAdministration>Certificates>CertificateStore>Import. Step 3ClickBrowsetoselecttheMDMservercertificatethatyouobtainedfromtheMDMserver. Step 4Addafriendlyname. Step 5ClickSubmit. Step 6VerifythattheCertificateStorelistpageliststheMDMservercertificate. Cisco Identity Services Engine Administrator Guide, Release 1.3 187 Set Up MDM Servers With Cisco ISE
What to Do Next CreateMobileDeviceManagerDefinitions,onpage188. Create Mobile Device Manager Definitions YoucancreateoneormoreMobileDeviceManager(MDM)definitionsforexternalMDMserverstohelp ensureCiscoISEisabletoobtainthemostup-to-datedeviceconnectionstatusfromlogged-inuserdevices aspossibleondemand.(AlthoughyoucanconfiguremultipleMDMserverdefinitions,youcanactivateonly oneMDMserverwithwhichCiscoISEinteroperatesatatime.) Before You Begin EnsurethatyouhaveimportedtheMDMservercertificateintoCiscoISE. Procedure Step 1ChooseAdministration>NetworkResources>MDM. Step 2ClickAdd. Step 3EnterthenameanddescriptionoftheMDMserverthatyouwanttoadd. Step 4Check(oruncheck)theStatuscheckboxtoindicatewhichMDMservershouldbeActive.CiscoISEcan communicatewithonlyoneMDMserveratatime. Step 5EntertheMDMserverIPaddressorhostname(FQDN)intheMDMserverhostfield. Step 6Specifythenetwork/proxyportthroughwhichCiscoISEmustcommunicatewiththeMDMserver. Step 7SpecifyaserverinstancenamefortheMDMserveryouareadding.(Thisdependsonthevendor.) Step 8SpecifytheMDMserveradministratorusernameandpasswordsothatCiscoISEcanlogintoandinteroperate withtheMDMserverdatabase. Step 9EnterthepollingintervalinminutesforCiscoISEtopolltheMDMserverforcompliancecheckinformation. ThisvalueshouldbethesameasthepollingintervalonyourMDMserver.Thedefaultvalueis240minutes. Werecommendthatyousetthepollingintervalbelow60minutesonlyfortestingafewactiveclientsonyour network.Ifyousetthisvaluebelow60minutesforaproductionenvironmentwithmanyactiveclients,the system’sloadincreasessignificantlyandmightnegativelyimpactperformance. Ifyousetthepollingintervalto0,ISEdisablescommunicationwiththeMDMserver. Step 10SpecifythetimeintervalinminutesforCiscoISEtopolltheMDMserverfordevicere-authenticationfor compliantdevicesintheTimeIntervalForComplianceDeviceReAuthQueryfield.Thevalidrangeis from1to1440minutes.Thedefaultvalueis1minute. Ifthedeviceisnon-compliant,CiscoISEqueriestheMDMservereveryoneminutefordevicere-authentication. Step 11ChecktheEnablecheckboxtoactivatetheMDMserverconnectionwithCiscoISE. Step 12ClickTestConnectiontotestCiscoISE’sconnectiontotheMDMserver. IfCiscoISEdisplaysaconnectionerror,theissuemaybewiththecertificate,theusername/password,orthe servernotbeingreachable.IfyouareusingaproxyfortheinternetconnectionandMDMserverispartof internalnetworkthenyouhavetoputtheMDMservernameoritsIPaddressintheProxy-Bypasslist.Choose Administration>Settings>ProxySettingstoperformthisaction. Cisco Identity Services Engine Administrator Guide, Release 1.3 188 Set Up MDM Servers With Cisco ISE
Step 13ClickSubmittosavetheMDMserverdefinition.OnlyafteryousuccessfullyconnectCiscoISEwiththe
MDMserver,theMDMdictionarygetspopulatedinCiscoISE.
What to Do Next
ConfigureanAuthorizationProfileforRedirectingNonregisteredDevices
Set Permissions When AD User in the Domain Admin Group
ForWindows2008R2,Windows2012,andWindows2012R2,theDomainAdmingroupdoesnothavefull
controloncertainregistrykeysintheWindowsoperatingsystembydefault.TheActiveDirectoryadmin
mustgivetheActiveDirectoryuserFullControlpermissionsonthefollowingregistrykeys:
•HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
•HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
NoregistrychangesarerequiredforthefollowingActiveDirectoryversions:
•Windows2003
•Windows2003R2
•Windows2008
Tograntfullcontrol,theActiveDirectoryadminmustfirsttakeownershipofthekey,asshownbelow.
Procedure
Step 1GototheOwnertabbyrightclickingthekey.
Step 2ClickPermissions.
Step 3ClickAdvanced.
Required Permissions when AD User not in Domain Admin Group
ForWindows2012R2,givetheActiveDirectoryuserFullControlpermissionsonthefollowingregistry
keys:
•HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
•HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
ThefollowingpermissionsalsoarerequiredwhenanActiveDirectoryuserisnotintheDomainAdmingroup,
butisintheDomainUsersgroup:
•AddRegistryKeystoAllowISEtoConnecttotheDomainController(seebelow)
•PermissionstoUseDCOMontheDomainController,onpage190
•SetPermissionsforAccesstoWMIRoot/CIMv2NameSpace,onpage192
Cisco Identity Services Engine Administrator Guide, Release 1.3
189
Set Up MDM Servers With Cisco ISE
ThesepermissionsareonlyrequiredforthefollowingActiveDirectoryversions:
•Windows2003
•Windows2003R2
•Windows2008
•Windows2008R2
•Windows2012
•Windows2012R2
Add Registry Keys to Allow ISE to Connect to the Domain Controller
YoumustmanuallyaddsomeregistrykeystothedomaincontrollertoallowISEtoconnectasaDomain
User,andretrieveloginauthenticationevents.Anagentisnotrequiredonthedomaincontrollersoronany
machineinthedomain.
Thefollowingregistryscriptshowsthekeystoadd.Youcancopyandpastethisintoatextfile,savethefile
witha.regextension,anddoubleclickthefiletomaketheregistrychanges.Toaddregistrykeys,theuser
mustbeanowneroftherootkey.
WindowsRegistryEditorVersion5.00
[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"
[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]"DllSurrogate"=""
[HKEY_CLASSES_ROOT\Wow6432Node\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]"DllSurrogate"=""
MakesurethatyouincludetwospacesinthevalueofthekeyDllSurrogate.
Keeptheemptylinesasshowninthescriptabove,includinganemptylineattheendofthefile.
Permissions to Use DCOM on the Domain Controller
TheActiveDirectoryuserusedforISEsIdentityMappingservicesmusthavepermissionstouseDCOM
(remoteCOM)ontheDomainController.Youcanconfigurepermissionswiththedcomcnfgcommandline
tool.
Cisco Identity Services Engine Administrator Guide, Release 1.3
190
Set Up MDM Servers With Cisco ISE
Procedure Step 1Runthedcomcnfgtoolfromthecommandline. Step 2ExpandComponentServices. Step 3ExpandComputers>MyComputer. Step 4SelectActionfromthemenubar,clickproperties,andclickCOMSecurity. Step 5MakesurethattheaccountthatISEwilluseforbothAccessandLaunchhasAllowpermissions.ThatActive Directoryusershouldbeaddedtoallthefouroptions(EditLimitsandEditDefaultforbothAccessPermissions andLaunchandActivationPermissions). Step 6AllowallLocalandRemoteaccessforbothAccessPermissionsandLaunchandActivationPermissions. Figure 16: Local and Remote Access for Access Permissions Figure 17: Local and Remote Access for Launch and Activation Permissions Cisco Identity Services Engine Administrator Guide, Release 1.3 191 Set Up MDM Servers With Cisco ISE
Set Permissions for Access to WMI Root/CIMv2 Name Space Bydefault,ActiveDirectoryusersdonothavepermissionsfortheExecuteMethodsandRemoteEnable. Youcangrantaccessusingthewmimgmt.mscMMCconsole. Cisco Identity Services Engine Administrator Guide, Release 1.3 192 Set Up MDM Servers With Cisco ISE
Procedure Step 1ClickStart>Runandtypewmimgmt.msc. Step 2Right-clickWMIControlandclickProperties. Step 3UndertheSecuritytab,expandRootandchooseCIMV2. Step 4ClickSecurity. Step 5AddtheActiveDirectoryuser,andconfiguretherequiredpermissionsasshownbelow. Figure 18: Required Permissions for WMI Root\CIMv2 Name Space Open Firewall Ports for WMI Access ThefirewallsoftwareontheActiveDirectoryDomainControllermayblockaccesstoWMI.Youcaneither turnthefirewalloff,orallowaccessonaspecificIP(ISEIPaddress)tothefollowingports: Cisco Identity Services Engine Administrator Guide, Release 1.3 193 Set Up MDM Servers With Cisco ISE
•TCP135:GeneralRPCPort.WhendoingasynchronousRPCcalls,theservicelisteningonthisport tellstheclientwhichportthecomponentservicingthisrequestisusing. •UDP138:NetbiosDatagramService •TCP139:NetbiosSessionService •TCP445:SMB Higherportsareassigneddynamicallyoryoucanconfigurethemmanually.Werecommendthatyouadd %SystemRoot%\System32\dllhost.exeasatarget.Thisprogrammanagesportsdynamically. AllfirewallrulescanbeassignedtospecificIP(ISEIP). Configure an Authorization Profile for Redirecting Nonregistered Devices YoumustconfigureanauthorizationprofileinCiscoISEtoredirectnonregistereddevices. Before You Begin •EnsurethatyouhavecreatedanMDMserverdefinitioninCiscoISE.Onlyafteryousuccessfully integrateISEwiththeMDMserverdoestheMDMdictionarygetspopulatedandyoucancreate authorizationpolicyusingtheMDMdictionaryattributes. •ConfigureACLsontheWirelessLANControllerforredirectingunregistereddevices. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles>Add. Step 2Createanauthorizationprofileforredirectingnonregistereddevicesthatarenotcompliantorregistered. Step 3EnteranamefortheauthorizationprofilethatmatchestheMDMservername. Step 4ChooseACCESS_ACCEPTastheAccessType. Step 5ChecktheWebRedirectioncheckboxandchooseMDMRedirectfromthedrop-downlist. Step 6EnterthenameoftheACLthatyouconfiguredonthewirelessLANcontrollerintheACLfield. Step 7ClickSubmit. What to Do Next ConfigureAuthorizationPolicyRulesfortheMDMUseCases. Configure Authorization Policy Rules for the MDM Use Cases YoumustconfigureauthorizationpolicyrulesinCiscoISEtocompletetheMDMconfiguration. Before You Begin •AddtheMDMservercertificatetotheCiscoISEcertificatestore. Cisco Identity Services Engine Administrator Guide, Release 1.3 194 Set Up MDM Servers With Cisco ISE