Cisco ISE - JAMF

jameson
Contributor II

We are moving to Cisco ISE in near future. Is there any known API etc, where Cisco Ise can get info from JAMF in authenticating devices. I am thinking about EAP-TLS WIfi, there Cisco Ise could verify devices in Jamf, but somehow a link between the 2 systems must be made.

Today the issue is that mac´s are not bound to AD, and EAP-TLS is authenticated to AD groups with computer objects. But with Cisco Ise there should be better option available as far I am informed

Don´t know if anyone has some knowledge on Cisco ISE and Jamf

5 REPLIES 5

blackholemac
Valued Contributor III

An older document, but this might help: http://docs.jamf.com/9.9/casper-suite/administrator-guide/Network_Integration.html

Basically ISE makes use of a Jamf Pro Advanced Search and a URL to plug into ISE. ISE will require some read access to the Jamf Pro instance...an auditor account is sufficient.

ryan_ball
Valued Contributor

@jameson We use it. The integration allows for ISE to look into the Jamf Pro Server and looks for machines contained in an Advanced Search. The advanced search in our case has a criteria of "Last Enrollment" after "1900-01-01" for both Computers and Devices. This should give you all enrolled computers and devices (if you want any enrolled device included in the ISE lookup).

ISE then looks up all clients in the Jamf Pro Server, if they are in one of the Advanced Searches, then it will apply a policy of your choosing to that device.

Here is the ISE documentation: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_...

Look
Valued Contributor III

@ryan.ball As terrible a design decision it is on JAMFs part, you can actually get a search of all computers simply by having no criteria at all on the search.

ryan_ball
Valued Contributor

@Look I use that all the time through the GUI to view all systems, but never considered actually saving a search with no criteria for some reason. Good call.

dgreening
Valued Contributor II

We use a saved search with no criteria for ISE integration. Works fine!