Cisco Unified Access (UA) and Bring Your Own Device (BYOD) CVD
BYOD Advanced Use Case
Downloads: This chapterpdf (PDF - 2.98MB) The complete bookPDF (PDF - 68.29MB) | Feedback

Table of Contents

BYOD Advanced Use Case—Mobile Device Manager Integration

Supported MDM Functions

Integration Process Flow

ISE Compliance Check

MDM Compliance Check

ISE Configuration

Logical Profile

Authorization Policy

MDM Enrollment Rule

Remediate Non-ISE Compliant Rule

Remediate Non-MDM Compliant Rule

MDM Reports

BYOD Advanced Use Case—Mobile Device Manager Integration

Revised: July 11, 2014

What’s New: Added notes about how ACL behavior has changed in version 7.5+ of the Wireless LAN Controller.

This chapter focuses on getting additional posture information from the integration with third-party Mobile Device Managers (MDMs). While previous chapters focused on on-boarding corporate and personal devices and providing differentiated access, this chapter makes use of more detailed endpoint information to enforce authorization policies.

MDM servers secure, monitor, manage, and support mobile devices to secure and control the use of mobile applications. The network is the only entity that can provide granular access to endpoints based on VLAN assignment, ACLs (named or downloadable [DACL]), SGTs, FlexConnect ACLs, etc. By integrating with third-party MDM servers, the Cisco ISE receives the necessary device attributes to enforce a more granular network access to those endpoints.

Figure 17-1 shows the interoperability between MDMs and the Cisco ISE. Once a device has been on-boarded with ISE, ISE queries the MDM for additional endpoint information. If the endpoint is registered and compliant with MDM policies, the device is granted access, based on other attributes, as described in the previous sections.

Notice that the MDM server can be deployed on-premise or in the cloud.

Figure 17-1 MDM Interoperability

 

The following steps take place when checking for device compliance:

1. The user connects to an on-boarding SSID and is guided through the registration and on-boarding process with ISE.

2. Once the user has been on-boarded with the proper certificate/profiles, the user connects to the secure Employee SSID.

3. ISE makes an API call to the MDM server. If the device is not registered with the MDM, the user is presented with the appropriate page to proceed to their MDM enrollment page.

4. Once the user completes the enrollment with the MDM server, they return to an enrollment redirect page that includes a continue button. When the user selects the continue option from the page, ISE will issue a Change of Authorization (CoA), forcing the user to re-authenticate. The API should now indicate the user has enrolled with the MDM. The MDM API results are cached by ISE for the duration of the authorization flow.

5. ISE uses the cached MDM information for the specific MAC address to verify the device’s posture including its MDM compliance status. If the device is not in compliance with the MDM policies, the user is once again informed and is asked to become compliant.

6. Once the device becomes compliant, the user is authorized to access the network based on the assigned permissions (Full, Partial Access, or Internet Access).

7. ISE can poll the MDM server periodically to get compliance information.

Chapter 13, “Mobile Device Manager Integration for BYOD” provides more details on how to configure the integration between ISE and the MDM.

Supported MDM Functions

Cisco ISE relies on REST API calls to query the external MDM server for additional endpoint information. The communication between ISE and the MDM is mostly unidirectional, where ISE sends different commands to the MDM. Some commands query for device information (model, compliance status, serial number, etc.) while others can invoke an action on the device (Corporate Wipe, Full Wipe, PIN lock, etc.).

The following are some of the functions that ISE performs in conjunction with an MDM server:

  • Device registration—Unregistered endpoints connecting to the network are redirected to a web page hosted on the MDM server to initiate the MDM enrollment process.
  • Device remediation—Cisco ISE imposes a captive portal on noncompliant endpoints. The user is redirected to a web page hosted by ISE but populated with device posture information obtained via the MDM API. The page informs the user and what actions to take to become compliant.
  • Periodic compliance checks—Cisco ISE polls the MDM server periodically for a list of non-MDM compliant devices. ISE will determine if any device on the list is currently associated with the network and will issue a CoA against those devices.
  • Device instructions through the MDM server—Remote actions can be issued for users’ devices through the MDM server.

The endpoint database is updated with additional information from the MDM server that cannot be collected using the Cisco ISE Profiler. The following device attributes can be obtained from the MDM:

  • MDMManufacturer
  • MDMModel
  • MDMOSVersion
  • MDMPhoneNumber
  • MDMSerialNumber
  • MDMIMEI

These attributes can be viewed by clicking Administration > Identity Management > Identities > Endpoints, as shown in Figure 17-2.

Figure 17-2 MDM Attributes

 

The integration with an MDM server allows the Cisco ISE to configure policies based on additional MDM attributes. The dictionary attributes can be found under Policy > Dictionaries > MDM > Dictionary Attributes, as shown in Figure 17-3.

Figure 17-3 Dictionary Attributes

 

Some of these attributes are used in several authorization rules in this design guide.

Integration Process Flow

Figure 17-4 shows the integration process between ISE and the MDM:

1. The device has been on-boarded and the user connects to the BYOD_Employee SSID.

2. Cisco ISE makes an API call to the MDM server to verify that the device has been registered with the MDM.

3. If the device is not registered and is required to be registered, the user is asked to enroll with the MDM. This may include installing the appropriate application from the Apple App Store or Google Play.

4. ISE enforces some device attributes before allowing network access. If the device is not ISE Compliant, quarantine the device (explained below).

5. If the device is not compliant with the MDM policies, quarantine the device.

If the user has been on-boarded and is compliant with ISE and MDM policies, allow the proper permissions based on different rules.


NoteThe previous chapters explained how to grant Full Access, Partial Access and Internet Only access to personal and corporate devices.


Figure 17-4 MDM Compliance Checks

 

ISE Compliance Check

Once the device has been registered with the MDM, the ISE checks for certain device attributes before allowing access to the network. This can serve as an additional check and the first opportunity to verify some device attributes.

In this design guide, two device attributes were considered as the minimum for devices to obtain access to the network:

  • Jailbroken or rooted devices—Not allowed into the network.
  • PIN lock enforcement—Devices without a device PIN lock are denied access.

ISE makes the JailBrokenStatus and PinLockStatus API calls to the MDM to verify these attributes.

A compound condition was defined in the ISE to check for these two attributes. To define this compound condition click Policy > Policy Elements > Conditions > Compound Conditions, as shown in Figure 17-5.

Figure 17-5 ISE_Non_Compliant

 

Additional dictionary attributes could be added to accommodate the security policies of each organization.

MDM Compliance Check

For devices that have been on-boarded and have met the ISE compliance check, an additional API call is made to the MDM to make sure the device has met all the compliance requirements established by the MDM.

If the device is not fully compliant with the MDM, ISE grants access to the Internet and denies access to all internal resources. When the user tries to access an internal resource, ISE redirects the session to a portal, highlighting the steps required to be completed to meet the MDM compliance rules.

ISE makes the DeviceCompliantStatus API call to the MDM to verify compliance. The MDM establishes what conditions result in a device being non-compliant.

ISE Configuration

Several ISE features play a role in verifying for ISE and MDM compliance before permissions can be applied. Some of them include Logical Profiles, authorization rules, ACLs, and API calls to the MDM to receive endpoint attributes.

Logical Profile

The profiling service in the Cisco ISE is able to identify devices connecting to the network to grant the appropriate access to endpoints based on their device type. By collecting attributes of endpoints and grouping them according to their profiles, unique policies may be enforced for specific type of devices.

A logical profile is a virtual container of objects that share a common attribute. One example of a logical profile is a set of devices that includes all tablets or all smartphones. A second example is a set of all Android or Apple devices. For the purposes of this design guide, a logical profile was created to include the devices that are managed by the MDM. This allows the administrator to dynamically add or remove devices managed by the MDM.

Figure 17-6 shows the MDM Managed logical profile used to group devices allowed and managed or licensed by the MDM. This logical profile is used when defining the ISE authorization policy and includes devices profiled as Android, Samsung-Device, and Apple-Device. To configure this logical profile on the ISE, click Policy > Profiling > Logical Profiles.

Figure 17-6 MDM Managed Logical Profile

 

The logical profile could be easily expanded to include other devices supported and managed by the MDM without modifying the ISE authorization policy.

Authorization Policy

Figure 17-7 shows the ISE authorization rules used to enforce MDM and ISE compliance. These authorization rules are executed after the user has on-boarded the mobile device and before additional access (e.g., Full, Partial, Internet) to the network is granted.

Figure 17-7 MDM Compliance Authorization Rules

 

MDM Enrollment Rule

This rule matches when the following conditions are met:

  • The endpoint connected via a wireless 802.1X SSID.
  • Logical Profile equals MDM Managed—The device is managed and supported by the MDM.
  • The device has gone through the on-boarding process and registered with ISE.
  • The device has not registered with the MDM.

If these conditions match, the Internet Until MDM authorization profile is used. This profile is configured to redirect nonregistered devices to the redirect URL highlighted in Figure 17-8.

Figure 17-8 Internet Until MDM

 

The authorization profile relies on two named ACLs previously defined in the Wireless LAN Controller: ACL_Internet_Redirect and ACL_Internet_Only. ACL_Internet_Redirect is shown as being applied to the MDM Redirect setting in the figure above. ACL_Internet_Only is shown as being sent to the wireless controller via the Radius:Airespace-ACL-Name attribute value (AV) pair in Figure 17-8. The behavior of the two ACLs is slightly different between CUWN wireless controllers, such as the CT5508 and Flex 7500, and IOS XE based controllers, such as the CT5760 and Catalyst 3850.


NoteWithin this document, wireless LAN Controller refers to either a standalone appliance such as the Cisco CT5508, Flex 7500, or CT5760 wireless controllers or to wireless controller functionality integrated within the Catalyst 3850 Series switch.


For CUWN wireless controllers, ACL_Internet_Redirect functions as both the ACL which controls web redirection, as well as the ACL which controls what the wireless client is allowed to access on the network. ACL_Internet_Only serves simply as a extra security configuration. CUWN wireless controllers do not make use of this ACL when URL redirection is specified. For CUWN wireless controllers the ACL_Internet_Redirect ACL shown in Figure 17-9 can be the same as the ACL_Internet_Only ACL discussed in the previous chapters.

Figure 17-9 ACL_Internet_Redirect

 

The ACL specifies the following access:

  • Allow IP access to and from the DNS server (10.230.1.45).
  • Allow IP access to and from the ISE Server (10.225.49.15).
  • Allow IP access to and from the DHCP server (10.230.1.61).
  • Deny IP access to and from internal network address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Allow access to and from all other subnets (Internet access).

NoteThe ACL behavior has changed in version 7.5+ of the Wireless LAN Controller. The presence of an Airespace ACL Name in the authorization profile affects the webauth redirect functionality for access points operating in FlexConnect mode.
For FlexConnect deployments, the ACL_Provisioning Airespace ACL must be removed from the configuration. This implies that there needs to be two independent authorization profiles for provisioning: one for FlexConnect and CUWN wireless controllers and another one for and Converged Access wireless controllers.
Refer to Appendix E, “Airespace ACLs in WLC 7.5+” for sample configurations.


For Cisco IOS XE based wireless controllers, ACL_Internet_Redirect functions strictly as the ACL which controls web redirection. ACL_Internet_Only functions as the ACL which controls what the wireless client is allowed to access on the network. Hence IOS XE based wireless controllers make use of both ACLs when URL redirection is specified. An example of the ACL_Internet_Redirect ACL for Cisco IOS XE based wireless controllers is shown in Example 17-1.

Example 17-1 Internet Redirect ACL for IOS XE Based Controllers

!
ip access-list extended ACL_Internet_Redirect
deny udp any eq bootpc any eq bootps
deny ip any host 10.230.1.45
deny ip any host 10.225.49.15
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
deny ip any any
!

The above ACL specifies the following access:

  • Deny (do not redirect) DHCP access (bootpc and bootps).
  • Deny (do not redirect) IP access to and from the DNS server (10.230.1.45).
  • Deny (do not redirect) IP access to and from the ISE server (10.225.49.15).
  • Allow (redirect) IP access to and from the rest of the internal network IP address space (10.0.0.0 /8, 172.16.0.0 /12, 192.168.0.0 /16).
  • Deny (do not redirect) all other access to the Internet.

An example of the ACL_Internet_Only ACL for Cisco IOS XE based wireless controllers is shown in Example 17-2.

Example 17-2 Access ACL for IOS XE Based Controllers

!
ip access-list extended ACL_Internet_Only
permit udp any eq bootpc any eq bootps
permit ip any host 10.230.1.45
permit ip any host 10.225.49.15
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!

The above access-list specifies the following access:

  • Allow DHCP access (bootpc and bootps).
  • Allow IP access to and from the DNS server (1.230.1.45).
  • Allow IP access to and from the ISE server (1.225.49.15).
  • Deny IP access to and from the rest of the internal network IP address space (10.0.0.0 /8, 172.16.0.0 /12, 192.168.0.0 /16).
  • Allow access to all other addresses (Internet addresses).

NoteThe access list shown inExample 17-2 is generic and not intended to work for every organization. An ACL should be more specific and only allow access to specific IP addresses and protocols in the required direction. A common practice is to make the ACLs as detailed as possible and to define every entry down to the port level.


The first time the user tries to browse an internal resource, the session is redirected to a page similar to the one in Figure 17-10 providing a link to register with the appropriate MDM.

Figure 17-10 Register with MDM

 

Remediate Non-ISE Compliant Rule

This rule matches when the following conditions are met:

  • The connection originated using EAP-TLS authentication (defined as a compound condition, see below).
  • The device does not comply with ISE requirements. The ISE_Non_Compliant compound condition is highlighted in Figure 17-5.
  • Logical Profile equals MDM Managed—The device is managed and supported by the MDM and is shown in Figure 17-6.
  • If these conditions match, the ISE Quarantine authorization profile is used. This profile is configured to redirect nonregistered devices to the redirect URL highlighted in Figure 17-11.

Figure 17-11 ISE Quarantine Authorization Profile

 

The authorization profile relies on two named ACLs, previously defined in the Wireless LAN Controller: ACL_ISE_Remediate_Redirect and ACL_ISE_Remediate. ACL_ISE_Remediate_Redirect is shown as being applied to the MDM Redirect setting in Figure 17-11. ACL_ISE_Remediate is shown as being sent to the wireless controller via the Radius:Airespace-ACL-Name attribute value (AV) pair in Figure 17-11. The behavior of the two ACLs is slightly different between CUWN wireless controllers, such as the CT5508 and Flex 7500, and IOS XE based controllers such as the CT5760 and Catalyst 3850.

For CUWN wireless controllers, ACL_ISE_Remediate_Redirect functions as both the ACL which controls web redirection, as well as the ACL which controls what the wireless client is allowed to access on the network. ACL_ISE_Remediate serves simply as a extra security configuration. CUWN wireless controllers do not make use of this ACL when URL redirection is specified.

For CUWN wireless controllers the ACL_ISE_Remediate and ACL_ISE_Remediate_Redirect ACLs can be the same. An example of the ACL_ISE_Remediate ACL is shown in Figure 17-12.

Figure 17-12 ACL_ISE_Remediate

 

The ACL specifies the following access:

  • Allow IP access to and from the DNS server (10.230.1.45).
  • Allow IP access to and from the ISE Server (10.225.49.15).
  • Allow IP access to and from the DHCP server (10.230.1.61).
  • Allow IP access to and from the MDM server (203.0.113.10).
  • Allow IP access to Apple Push Notification Server (23.0.0.0 /8 and 17.0.0.0 /8).
  • Allow IP access to Google Cloud Messaging (184.0.0.0 /8, 8.0.0.0 /8, 173.194.0.0 /16, 74.125.0.0 /16, 206.111.0.0 /16).
  • Deny IP access (redirect) to all other IP addresses.

NoteThe ACL behavior has changed in version 7.5+ of the Wireless LAN Controller. The presence of an Airespace ACL Name in the authorization profile affects the webauth redirect functionality for access points operating in FlexConnect mode.
For FlexConnect deployments, the ACL_Provisioning Airespace ACL must be removed from the configuration. This implies that there needs to be two independent authorization profiles for provisioning: one for FlexConnect and CUWN wireless controllers and another one for and Converged Access wireless controllers.
Refer to Appendix E, “Airespace ACLs in WLC 7.5+” for sample configurations.


For Cisco IOS XE based wireless controllers, ACL_Internet_Redirect functions strictly as the ACL which controls web redirection. ACL_Internet_Only functions as the ACL which controls what the wireless client is allowed to access on the network. Hence IOS XE based wireless controllers make use of both ACLs when URL redirection is specified. An example of the ACL_Internet_Redirect ACL for Cisco IOS XE based wireless controllers is shown in Example 17-3.

Example 17-3 Remediate Redirect ACL for IOS XE Controllers

!
ip access-list extended ACL_ISE_Remediate_Redirect
deny udp any eq bootpc any eq bootps
deny ip any host 1.230.1.45
deny ip any host 1.225.49.15
deny ip any host 1.230.1.76
deny ip any 63.128.76.0 0.0.0.255
deny ip any 23.0.0.0 0.255.255.255
deny ip any 17.0.0.0 0.255.255.255
deny ip any 184.0.0.0 0.255.255.255
deny ip any 8.0.0.0 0.255.255.255
deny ip any 74.125.0.0 0.0.255.255
deny ip any 173.194.0.0 0.0.255.255
deny ip any 206.111.0.0 0.0.255.255
deny ip any host 1.225.100.10
permit ip any any
!

The above ACL specifies the following access:

  • Deny (do not redirect) DHCP traffic.
  • Deny IP access (do not redirect) to and from the DNS server (1.230.1.45).
  • Deny IP access (do not redirect) to and from the ISE server (1.225.42.15).
  • Deny IP access (do not redirect) to and from MDM servers (host 1.230.1.76 and subnet 63.128.76.0 /24).
  • Deny IP access (do not redirect) to Apple Push Notification Server (23.0.0.0 /8 and 17.0.0.0 /8).
  • Deny IP access (do not redirect) to Google Cloud Messaging (184.0.0.0 /8, 8.0.0.0 /8, 74.125.0.0 /16, 173.194.0.0 /16, 206.111.0.0 /16).
  • Permit IP access (redirect) traffic to all other IP addresses.

An example of the ACL_ISE_Remediate ACL for Cisco IOS XE based wireless controllers is shown in Example 17-4.

Example 17-4 Remediate Access ACL for Cisco IOS XE Controller

!
ip access-list extended ACL_ISE_Remediate
permit udp any eq bootpc any eq bootps
permit ip any host 1.230.1.45
permit ip any host 1.225.49.15
permit ip any host 1.230.1.76
permit ip any 63.128.76.0 0.0.0.255
permit ip any 23.0.0.0 0.255.255.255
permit ip any 17.0.0.0 0.255.255.255
permit ip any 184.0.0.0 0.255.255.255
permit ip any 8.0.0.0 0.255.255.255
permit ip any 74.125.0.0 0.0.255.255
permit ip any 173.194.0.0 0.0.255.255
permit ip any 206.111.0.0 0.0.255.255
deny ip any any
!

The above access-list specifies the following access:

  • Allow DHCP traffic.
  • Allow IP access to and from the DNS server (1.230.1.45).
  • Allow IP access to and from the ISE server (1.225.42.15).
  • Allow IP access to and from MDM servers (host 1.230.1.76 and subnet 63.128.76.0 /8).
  • Allow IP access to Apple Push Notification Server (23.0.0.0 /8 and 17.0.0.0 /8).
  • Allow IP access to Google Cloud Messaging (184.0.0.0 /8, 8.0.0.0 /8, 74.125.0.0 /16, 173.194.0.0 /16, 206.111.0.0 /16).
  • Permit IP access to all other IP addresses.

NoteThe access list shown inExample 17-4 is generic and not intended to work for every organization. An ACL should be more specific and only allow access to specific IP addresses and protocols in the required direction. A common practice is to make the ACLs as detailed as possible and to define every entry down to the port level.


The Wireless_EAP-TLS compound condition checks for the following conditions:

  • Radius:Service-Type Equals Framed
  • Radius:NAS-Port-Type Equals Wireless - IEEE 802.11
  • Network Access:EapAuthentication Equals EAP-TLS

To define this compound condition, click Policy > Conditions > Authorization > Compound Conditions. Figure 17-13 shows how the Wireless_EAP-TLS condition combines several conditions into one.

Figure 17-13 Wireless_EAP-TLS Condition

 

Remediate Non-MDM Compliant Rule

This rule matches when the following conditions are met:

  • The connection originated using EAP-TLS authentication, as defined by the Wireless_EAP-TLS compound condition highlighted in Figure 17-13.
  • The device does not comply with MDM policies. The ISE makes the DeviceCompliantStatus API call to the MDM to obtain this information.
  • Logical Profile equals MDM Managed—The device is managed and supported by the MDM.

If these conditions match, the MDM Quarantine authorization profile is used. This profile is configured to redirect nonregistered devices to the redirect URL highlighted in Figure 17-14.

Figure 17-14 MDM Quarantine Authorization Profile

 

The authorization profile relies on the same two named ACLs: ACL_Internet_Redirect and ACL_Internet_Only previously discussed in Remediate Non-ISE Compliant Rule.

When the user tries to browse an internal resource, the session is redirected to page similar to the one in Figure 17-15, indicating why the device is not compliant with the MDM policies.

Figure 17-15 MDM Quarantine

 

For reference purposes, the complete authorization policy used during testing is shown in Figure 17-16. The figure highlights the following sections:

1. Used for blacklisting lost or stolen devices.

2. On-boarding and MDM registration/remediation.

3. Wireless devices connecting from an access point in a SGT_Enabled location.

4. Wireless devices connecting from an access point in the campus or branch locations.

5. Wired devices connecting from a campus or branch locations.

6. Wired and Wireless devices connecting from a converged location.

7. Guest and Basic Access.

Figure 17-16 Complete Authorization Policy

 

MDM Reports

Cisco ISE provides a logging mechanism that is used for auditing, fault management, and troubleshooting. Several reports provide information related to endpoints. In Figure 17-17, the Mobile Device Management report shows the endpoints connected to the ISE, and several attributes collected from the MDM. Other reports provide additional information that may be used for reporting and troubleshooting.

Figure 17-17 MDM Report