Cisco ISE 2.1 Integration

sdiver
New Contributor III

Has anyone successfully integrated Cisco ISE 2.1 with Jamf v9.96 (or something close)?

In Jamf JSS, we have setup Cisco ISE in All Settings > Network Organization. Then in Cisco ISE, in Administration > External MDM, we have setup the Jamf JSS, and the Test Connection comes back that communication is working. So that piece seems good.

The issue we seem to be running into is checking device compliance against Jamf. I have setup two basic advanced searches under both Computers & Mobile Devices, and selected those in the Cisco ISE setup in the Jamf JSS.

Back in ISE, we've created a Policy Condition to verify against Jamf MDM DeviceComplianceStatus - Equals - Compliant. That verification check is failing. If we remove that condition, the verification check succeeds, and the devices can connect...add it back in, and the verification check fails, and the device cannot connect.

In doing some searching online, I came across this Cisco URL The information on the Compatibility tab seems to indicate that Cisco ISE 1.3 is the latest version that Jamf is compatible with...

[https://marketplace.cisco.com/catalog/companies/jamf-software/products/casper-suite](link URL)

Hence, my original question. So if anyone has this working, I would love to talk with you to figure out what we are doing.

Thanks,
Steve

9 REPLIES 9

mbracco
Contributor

Hello,

We currently have a POC with Cisco ISE 2.x and JSS 9.9.6. Currently we have issues with certificats, as we wish to use the devicecertificats provided by the JSS. Tomorrow we will continue to investigate with our networking team.

I send you over feedback over our researches.

Mike

were_wulff
Valued Contributor II

@sdiver & @mbracco

We have had a few customers run into issues with Cisco ISE 2.x if they have older ciphers in place in Tomcat, so that's definitely worth checking to see if it helps in your environment.

If the logs from your Cisco ISE 2.x environment have mention of ciphers being used or errors relating to ciphers, that may be the cause.

In those cases, we've found that adding the following ciphers to the ciphers that already exist in the Server.xml file for Tomcat, then restarting Tomcat, can resolve the issue:

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA

We have a KB article on how to modify the ciphers for Tomcat here: Configuring Supported Ciphers for Tomcat HTTPS Connections

As with making any change to any file, it's recommended that you make a backup of the file first just in case something goes wrong or doesn't work as expected. In the event that modifying the ciphers doesn't work or causes other unexpected behavior, you'll at least have a backup of the Server.xml that you can put back into place.

Thanks!
Amanda Wulff
Jamf Support

mbracco
Contributor

Hy back,

We could not process. Network team told us that we need for the Cisco ISE a special MDM License...
I'm not ISE specialist, but can the ISE not be used without that MDM. We have the Casper Suite as MDM and don't need the advanced features as (redirection to enrollment).

Do we really need that License ?

Mike

were_wulff
Valued Contributor II

@mbracco

I am not certain what your network team means by a "special MDM license". If you have an active JSS, there is no other licensing you need from us. If they are talking about using Cisco's MDM solutions with the ISE product, that is not necessary as you are using the JSS for MDM.

Our Administrator's Guide touches on network integration, but makes the assumption that you have already set up your Cisco ISE environment appropriately: http://docs.jamf.com/9.96/casper-suite/administrator-guide/Network_Integration.html

If you have questions or concerns about what you need for Cisco ISE licensing, I would recommend getting in touch with your Cisco rep or getting in touch with Cisco's support if you do not have a specific support rep to contact.

We are not able to provide much information on what sort of licensing is required for Cisco ISE as we are not a vendor for that product and do not have access to that information.

Thanks!
Amanda Wulff
Jamf Support

jhalvorson
Valued Contributor

@mbracco Cisco ISE can be setup to allow several different types of "checks". Keep asking your Cisco rep for all of the other allowed verification options and then talk with your security team as to which of those options they will allow to be used.

One of the more "simpler" options is to set the DHCP ID on to static name. We found it was possible for ISE to pick this up with Windows devices, but couldn't get to work with Macs. It is not a good choice, because it's very easy to do assimilate on any device. For the mac it wasn't very easy to set the DCHP ID for every network port automatically and on a continuing bases.

So the next option is to go with Certificate based options... I recommend continuing the talks with the Cisco reps.

CasperSally
Valued Contributor II

@mbracco @jhalvorson the checks in ISE terminology is what they call posturing. It greatly slowed down login times in our testing, just FYI.

mbracco
Contributor

Thanks for the info. We will proceed our testings next week. So we will also contact Cisco Guys for licensing and policy questions.

sdiver
New Contributor III

@amanda.wulff Thanks for the information on the Tomcat ciphers. I will definitely look at that and report back in the next few days.

@mbracco I had asked about the possibility of using the certificate issued to a device from the JSS, as a means of authenticating a device on our network...but never really got anywhere. The issue we ran into was that certificate didn't have any consistently identifying information in it that ISE could use for authentication. Maybe that will change in the future, as there was some talk at JNUC of the possibility of a future release of Jamf Pro being an identity provider. We'll have to see I guess.

But for us, being a school, we want to place our employees in one secure VLAN/subnet, and our students in a separate VLAN/subnet...ISE wasn't able to do that with the JSS issued certificate. So we went back to the internal Microsoft CA, and (for 1:1 devices at least) we are using the JSS to push a Configuration Profile that includes 3 payloads...

  • Certificate: The CA Certificate for our internal CA
  • SCEP: Requests a user certificate from the internal CA, based on the $USERNAME variable in the JSS that the device is associated with
  • Wi-Fi: Pulls the Certificate & SCEP payloads together to do EAP-TLS authentication

With some mild tweaks to the certificate templates on internal CA, we have this working flawlessly in our test environment, and it is pretty seamless to the end user.

As for the Cisco ISE-Jamf integration...if you have Cisco ISE licensing, you shouldn't need anything additional for MDM integration...it's just part of the product. Based on what we have learned over the past few days, and in working on this with our network consultant, once the necessary certificates from Jamf are in place within ISE, and both Jamf and ISE are configured to talk to each other, then ISE actually pulls the MDM information it can query from Jamf. So ISE only presents you with the options that it can query for an MDM. Kinda cool.

At the end of the day, all I really want to be able to do is have ISE verify that devices connecting and authenticating to our private wireless networks are enrolled in Jamf...basically DeviceComplianceStatus - Equals - Compliant in ISE...if not, deny access. Basically, keep personal devices attempting to authenticate using PEAP off the private wireless networks, so as not to over-saturate WAPs in classroom spaces.

The joys of network administration...nothing is ever as easy and straight-forward as you think it will be. Makes it fun, right? Right?!

joe_bloom
New Contributor III
New Contributor III

New in Casper Suite (Jamf Pro) version 9.99.0 is additional support for Cisco ISE.

Added support for the Cisco MDM API v2 when integrating the JSS with Cisco Identity Services Engine (ISE) in the Network Integration settings in the JSS. To access network integration in the JSS, navigate to Settings > Network Organization > Network Integration.

See what's new in 9.99.0