Help

Cisco ISE - JAMF integration

gurduv
New Contributor III

Posted on ‎02-10-2020 03:28 AM

We are implementing Cisco ISE in our network, and we would like to use Jamf as a means to identify and recognize manages Apple devices.
ISE query's Jamf’s inventory, and gets the device’s MAC address in response. If this MAC address exists in Jamf, ISE will continue to query all other info about this device.

The issue we encounter is that only the “en0" MAC address is sent to ISE.
If more then one network hardware connection exists, (e.g. usb network adapters, wifi adapters) different for en0, Jamf response is that the device is not part of the repository, and ISE doesn’t recognize it.
Is there a way to use all the MAC addresses as reference objects for Jamf into ISE?

0 Kudos
Reply
3 REPLIES 3

dgreening
Valued Contributor II

Posted on ‎02-10-2020 01:10 PM

I believe that ISE 4.6+ supports using the UDID of the machine instead of the MAC address. This is obviously preferable if you can do it!

Reply

gurduv
New Contributor III

Posted on ‎05-27-2020 06:33 AM

Our ISE is version 2.6.0.156
What ISE implementation did you mean?

0 Kudos
Reply

mrheathjones
New Contributor III

Posted on ‎05-27-2020 01:46 PM

@gurduv We are running an older version of ISE (2.6.x I believe), and we had the same issue. To get around it I wrote a policy that does the following:

  1. Gets the ethernet adapter's MAC address and adapter name
  2. updates the Jamf record fields (Primary MAC Address and Primary Network Adapter Type) via API
  3. Gets the ISE NAS IP address
  4. forces an ISE re-auth via API

We are currently only having ISE performing Posture checks on wired connections with plans on expanding to wireless. My workaround is definitely hacky, but it's been working. Only problem is the when the device checks-in that Primary MAC Address is then written over with the en0 info. My policy runs on network state change and check-in, so that limits the the "posture check fail" in reports ISE. Hope this helps.

Reply