Jamf Nation Community

@sdiver & @mbracco

We have had a few customers run into issues with Cisco ISE 2.x if they have older ciphers in place in Tomcat, so that's definitely worth checking to see if it helps in your environment.

If the logs from your Cisco ISE 2.x environment have mention of ciphers being used or errors relating to ciphers, that may be the cause.

In those cases, we've found that adding the following ciphers to the ciphers that already exist in the Server.xml file for Tomcat, then restarting Tomcat, can resolve the issue:

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA

We have a KB article on how to modify the ciphers for Tomcat here: Configuring Supported Ciphers for Tomcat HTTPS Connections

As with making any change to any file, it's recommended that you make a backup of the file first just in case something goes wrong or doesn't work as expected. In the event that modifying the ciphers doesn't work or causes other unexpected behavior, you'll at least have a backup of the Server.xml that you can put back into place.

Thanks!
Amanda Wulff
Jamf Support

Hy back,

We could not process. Network team told us that we need for the Cisco ISE a special MDM License...
I'm not ISE specialist, but can the ISE not be used without that MDM. We have the Casper Suite as MDM and don't need the advanced features as (redirection to enrollment).

Do we really need that License ?

Mike

@mbracco

I am not certain what your network team means by a "special MDM license". If you have an active JSS, there is no other licensing you need from us. If they are talking about using Cisco's MDM solutions with the ISE product, that is not necessary as you are using the JSS for MDM.

Our Administrator's Guide touches on network integration, but makes the assumption that you have already set up your Cisco ISE environment appropriately: http://docs.jamf.com/9.96/casper-suite/administrator-guide/Network_Integration.html

If you have questions or concerns about what you need for Cisco ISE licensing, I would recommend getting in touch with your Cisco rep or getting in touch with Cisco's support if you do not have a specific support rep to contact.

We are not able to provide much information on what sort of licensing is required for Cisco ISE as we are not a vendor for that product and do not have access to that information.

Thanks!
Amanda Wulff
Jamf Support

@mbracco Cisco ISE can be setup to allow several different types of "checks". Keep asking your Cisco rep for all of the other allowed verification options and then talk with your security team as to which of those options they will allow to be used.

One of the more "simpler" options is to set the DHCP ID on to static name. We found it was possible for ISE to pick this up with Windows devices, but couldn't get to work with Macs. It is not a good choice, because it's very easy to do assimilate on any device. For the mac it wasn't very easy to set the DCHP ID for every network port automatically and on a continuing bases.

So the next option is to go with Certificate based options... I recommend continuing the talks with the Cisco reps.

@mbracco @jhalvorson the checks in ISE terminology is what they call posturing. It greatly slowed down login times in our testing, just FYI.

Thanks for the info. We will proceed our testings next week. So we will also contact Cisco Guys for licensing and policy questions.

@amanda.wulff Thanks for the information on the Tomcat ciphers. I will definitely look at that and report back in the next few days.

@mbracco I had asked about the possibility of using the certificate issued to a device from the JSS, as a means of authenticating a device on our network...but never really got anywhere. The issue we ran into was that certificate didn't have any consistently identifying information in it that ISE could use for authentication. Maybe that will change in the future, as there was some talk at JNUC of the possibility of a future release of Jamf Pro being an identity provider. We'll have to see I guess.

But for us, being a school, we want to place our employees in one secure VLAN/subnet, and our students in a separate VLAN/subnet...ISE wasn't able to do that with the JSS issued certificate. So we went back to the internal Microsoft CA, and (for 1:1 devices at least) we are using the JSS to push a Configuration Profile that includes 3 payloads...

• Certificate: The CA Certificate for our internal CA
• SCEP: Requests a user certificate from the internal CA, based on the $USERNAME variable in the JSS that the device is associated with
• Wi-Fi: Pulls the Certificate & SCEP payloads together to do EAP-TLS authentication

With some mild tweaks to the certificate templates on internal CA, we have this working flawlessly in our test environment, and it is pretty seamless to the end user.

As for the Cisco ISE-Jamf integration...if you have Cisco ISE licensing, you shouldn't need anything additional for MDM integration...it's just part of the product. Based on what we have learned over the past few days, and in working on this with our network consultant, once the necessary certificates from Jamf are in place within ISE, and both Jamf and ISE are configured to talk to each other, then ISE actually pulls the MDM information it can query from Jamf. So ISE only presents you with the options that it can query for an MDM. Kinda cool.

At the end of the day, all I really want to be able to do is have ISE verify that devices connecting and authenticating to our private wireless networks are enrolled in Jamf...basically DeviceComplianceStatus - Equals - Compliant in ISE...if not, deny access. Basically, keep personal devices attempting to authenticate using PEAP off the private wireless networks, so as not to over-saturate WAPs in classroom spaces.

The joys of network administration...nothing is ever as easy and straight-forward as you think it will be. Makes it fun, right? Right?!

New in Casper Suite (Jamf Pro) version 9.99.0 is additional support for Cisco ISE.

Added support for the Cisco MDM API v2 when integrating the JSS with Cisco Identity Services Engine (ISE) in the Network Integration settings in the JSS. To access network integration in the JSS, navigate to Settings > Network Organization > Network Integration.

See what's new in 9.99.0