Cisco ISE (NAC) and Casper

bterhune
New Contributor

Looking forward to meeting some of you all at the JNUC in a little while!

Does anyone use Cisco ISE in conjunction with the Casper suite? I'm trying to determine if it is possible to posture Macintosh clients and send them to a QuickAdd.pkg?

Thanks.
Brad Terhune

19 REPLIES 19

mostlikelee
Contributor

Interesting thought. Let me know if you run across a workflow.

CGundersen
Contributor III

Our network team purchased ISE a while back, but they haven't implemented. I'd love to hear of some workflows as well. I wonder which JAMF I should interrogate at JNUC?

mostlikelee
Contributor

From what I've seen ISE can query Casper to confirm smart group membership of your choosing. Presenting a quickadd at query fail sounds really interesting.

BradB
New Contributor III
New Contributor III

@bterhune - the workflow you describe is pretty much exactly how the JSS/ISE integration works. ISE communicates with the JSS to ascertain whether a device is managed and/or compliant and then takes action based upon those results. If a device is unmanaged, it is redirected to the JSS enrollment page so the user can enroll. If the device is deemed non-compliant, it is redirected to a status page that indicates how the user can remediate their non-compliance. One thing to point out is that this is all done based upon management by the Casper Suite...the integration doesn't rely on any of the ISE posture agents.

@mostlikelee - one small point of clarification, the integration actually uses an Advanced Search as opposed to Smart Group membership. Just wanted to point it out to avoid confusion.

I'll be at the JNUC on Thursday and I'd love to chat about the integration more in depth with anyone interested.

bterhune
New Contributor

Thank you all so much! Beckerbm- your info gives me hope! I'm a total newbie and really need a good distribution method. Our Mac folks are already accustomed to ISE. Note I said accustomed not happy about it! See y'all later.
Brad Terhune

alexm
New Contributor

@beckerbm We use the Cisco ISE Integration on our network for wifi. It works well. We would like to roll this out to physical / ethernet network. This does not work so well, in fact it doesn't work at all from our testing.
It seems that the Mac is identified by it's MAC address.

For Macs without built-in ethernet ports (Retina / Airs) the MAC address is not present in it's inventory record (Secondary MAC Address field) therefore ISE does not see it as a managed device and constantly sends the user to the enrolment page. Is there a way to get ISE to look at the UDID or serial number instead of the MAC address ?

I understand that there are security issues around portable MAC addresses on ethernet adapters, but we are not so interested in security, it's more about compliance (anti-virus installed, Mac managed) on the device which Casper and ISE do well together.

BradB
New Contributor III
New Contributor III

@alexm - Unfortunately you're experiencing one of the main issues with using ISE on a wired network with ethernet adapters. Really the only attribute that ISE can ascertain about an unknown device connecting to the network is it's MAC address. That's where the Casper Suite comes into play to provide the rest of the important posture details so ISE can make a determination on what access to provide to the device.

Right now we don't collect the MAC addresses of ethernet adapters during an inventory update. We do have a workaround which I believe you're working on with your Account Manager but it's not an ideal solution. We are definitely aware of the issues that are present when ethernet adapters are used with the integration and there are ongoing discussions on how to alleviate the issues.

bterhune
New Contributor

So, if all we get is a MAC address, would that be enough to somehow determine if the device is a Macintosh? I'm fairly certain Casper won't help before a QuickAdd.pkg is run on the machine.
Brad

alexm
New Contributor

@bterhune Cisco ISE is able to determine what the hardware is. You would then set a (ISE) rule to pass any "Macintosh" requests over to Casper - if it's not enrolled in Casper you can then force the user to enrol - via a "User Initiated Enrolment". If it is enrolled Casper will check the compliance of the Mac to determine wether it gets network access.
This how we have it setup and working at the moment for wifi - (it does not work for any portable ethernet adapters.)

alexjdale
Valued Contributor III

Would the ISE integration work for portable ethernet adapters if the system uses the same one consistently?

alexm
New Contributor

@alexjdale Unfortunately not. Cisco ISE ONLY reads the "Primary MAC Address" and "Secondary MAC Address" fields in the JSS. Portable ethernet adapters do not show up in the either of those fields.
Wifi is ok, as this MAC address is present - normally in the Primary MAC field.

We are currently working with JAMF to find a solution as we desperately need it to work!

alexm
New Contributor

I just thought I would update this thread.

The awesome guys at JAMF created a custom plugin for us that writes (copies) an extension attribute to the Secondary MAC Address field.
We use a basic EA to generate the MAC address that we want, "Ethernet", "Thunderbolt Ethernet", "USB Ethernet" etc. During inventory (recon) this MAC address is copied to the Secondary MAC Field.

Cisco ISE now sees both the Wifi-MAC AND whatever-MAC-address-we-want.

perrycj
Contributor III

@alexm Great post and thanks for the info.

I was wondering if you, or anyone else, has a solution with this NAC solution and binding to AD? Also, on top of that, doing all of this through DEP? Obviously with DEP, there is ideally no user interaction in a typical set up. So how are you getting your Macs enrolled, binded to AD, with this NAC solution with DEP? Ha, I know that's a lot.

Would this custom plugin solution still work for all of that?

ndelgrande
New Contributor

@perrycj We are in the same boat. Going for DEP, want the ability to self-configure inside or outside the network. We thought about maybe a policy that get's triggered when the Mac detects it's on the corp network that binds the Mac and moves the data over to the new cached account from the local account that was created during DEP outside the network. This could be very confusing for the user though, so we have to think the process through.

ndelgrande
New Contributor

@bterhune We haven't fully integrated our ISE with Casper MDM yet, but we are using certificates delivered by ADCS and pushed by configuration profile from the JSS for wired port 802.1x. We also tested the posturing agent, which you can set to point to any URL I believe if it fails posturing, so redirecting to the enrollment URL shouldn't be too difficult. The downside of the posturing agent is it can be slow at times, but we saw faster times on Macs than Windows on similar hardware. (It was just checking AV defs) For example, if someone fails the AV check, they can be alerted to update their defs via a web page with instructions.

blackholemac
Valued Contributor III

@beckerbm Would it be possible to chat with you more about Cisco ISE offline somehow...we have had major issues in getting things to work right in high stress situations on Casper (standardized testing). Basically, we want to totally scrub Network Integration from Casper. I have even went and deleted it! I am still seeing:

2016-02-01 09:49:54,955 [ERROR] [Tomcat-5390] [etworkIntegrationResource] - No NetworkIntegration instance found for mapping: fuib
2016-02-01 09:50:44,095 [ERROR] [Tomcat-5402] [etworkIntegrationResource] - No NetworkIntegration instance found for mapping: fuib
2016-02-01 09:51:01,204 [ERROR] [Tomcat-5385] [etworkIntegrationResource] - No NetworkIntegration instance found for mapping: fuib

'fuib' was the last part of the integration URL that we had used. Now that we have de-activated Cisco ISE integration on the Casper side (the network guy said he has deactivated on his side as well). How are we still seeing this in the logs???

Thank you in advance.
Brian Martin
Lafayette School Corporation

easyedc
Valued Contributor II

...Don't mind me, just placing a comment to follow this thread.

Our ISE deployment got slowed/delayed and I'm sure I'll run into issues soon.

Bhughes
Contributor

Running into same issues...

dwoodnuskin
New Contributor

@alexm, the guys at Jamf sent me a plugin that will write an EA for thunderbolt adapters, but it does not replace the secondary MAC address. We have the issue that so many different types of adapters are utilized and the only one that gets queried is for the thunderbolt dongle. How are you getting this EA to pull any type of Ethernet MAC address and then subsequently replace the secondary MAC? I think this would resolve the issues we are finding. Thanks!