In this guide, I'm going to walk through MDM integration with ISE. MDM is used to deploying, securing, monitoring, integrating and managing mobile devices in the workplace. The MDM software that is download to the mobile device can control the distribution of application and patches as well as control data and configuration on the endpoint.
While there is a long list of MDM solutions you can use with ISE, I'll be using Meraki Enterprise Mobility Management (EMM) since that's the MDM solution I have access to. If you would like to see a complete list of providers officially supported in the ISE ecosystem, click here.
I'll be basically building on top of my previous BYOD configuration to include the download of the Meraki MDM software. ISE will provide the granular access to the endpoints while the Meraki MDM will serve as the policy decision point.
If you would like to read the official "How To" guide for ISE and Meraki integration, you can view it here.
In order to set up the integration with Meraki, ISE needs to trust the Meraki certificate. In order to download this certificate, open Firefox and navigate to https://dashboard.meraki.com and login.
After logging in, click on the lock next to the URL in the address bar:
On the window that opens, I'll click on More Information under the certificate information and then in the menu that comes up, choose the option for View Certificate:
On the Certificate Viewer, I need to locally save the certificate so I'll have to navigate to the Details tab and then click on the Export button.
Save the certificate locally on your computer for later use.
Back in the Meraki dashboard, I need to save the username and password under the ISE settings for later use when I add Meraki to ISE. You can view this preset username/password by navigating to Organization>Configure>MDM in the Meraki dashboard and scroll to the bottom of the page. There should be a subsection for ISE containing that information:
One thing I'd also like to note on this page is the section called SCEP CA Certificate Configuration:
You can actually configure Meraki EMM to use SCEP and hand out the certificates directly to your client instead of using a separate BYOD policy. It's certainly an easier flow to do it this way but I'm going to configure it with a separate BYOD policy in this blog because I'm running a lab where I will probably want to disable/renable this policy in the future and experiment with it.
For my lab, I'm going to configure a very basic policy in Meraki. For my policy, I'm going to require the download of the Meraki Systems Manager and that my mobile device requires a passcode. I'm going to navigate to Systems Manager>Configure>Policies and click Add New. I'm going to name this policy PASSCODE-ONLY and check the box next to Passcode Lock:
After saving, I'm then going to navigate to MDM>Policies and create a new policy. This will be the scope of all our devices so I'm going to name it ALL_DEVICES and for the scope I'm going to choose All devices from the drop-down:
For my mobile devices, I can define certain variables about the passcode in the mobile settings by navigating to MDM>Settings. Under the ALL_DEVICES settings, I'm going to navigate to the Passcode tab and make sure that both the Required passcode and Allow simple value boxes are checked. While I can require a longer password in this menu, I am going to set the minimum passcode length at 4:
Next I'm going to set the apps I want installed on my mobile devices. I'm going to navigate to MDM>Apps and click Add New. I'm going to make sure that the Meraki Systems Manager must be installed on all Android and IOS devices since that is what I have in my lab:
Finally, I'm going to tie all my settings together under the ISE settings inside the Meraki dashboard. I'm going to navigate to Systems Manager>Configure>General and scroll to the bottom of the page. Under the ISE Settings page, click on the Add a new security policy scope. Add the policy you just created and apply it to all the devices with tags IOS and Android:
After completing my Meraki configuration, I'm going to login to ISE and import the Meraki certificate I previously downloaded into ISE's Trusted Certificate store. This is necessary for ISE to trust communication with the Meraki cloud. I am going to navigate to Administration>System>Certificates>Certificate Management>Trusted Certificates. I'll click on Import:
I'll give this certificate a friendly name that makes sense to me (MERAKI-CERT) and at least check the boxes for:
- Trust for authentication within ISE
- Trust for authentication of Cisco Services
I'm going to add Meraki as the external MDM inside ISE by navigating to Administration>Network Resource>External MDM. After clicking Add, I'm going to enter the information I saved from the Meraki dashboard in previous steps and then click Test Connection to ensure that I can connect and communicate with the Meraki cloud:
If the test is successful, I will click Submit.
Note: In a production network, you might not want to poll every 10 minutes but since this is a lab, I tuned it down to that time.
I still have my ACLs in the wireless controller that I created during previous posts but for the purposes of review, I'm going to list them out here since they'll be important to our policy:
I'm going to create authorization profiles in ISE for my new policies that I'm going to create by navigating to Policy>Policy Elements>Authorization>Authorization Profiles and click Add. I'm going to create the following policies:
Name: BYOD-NO-REG
- Check the box next to VLAN and select VLAN ID 70
- Check the box next to Web Redirection, choose MDM Redirect from the drop-down, fill in NSP-ACL in the ACL field, choose MDM Portal (default) under Value and for MDM Server, choose Meraki-MDM
Name: BYOD-NO-COMP
- Check the box next to VLAN and select VLAN ID 70
- Check the box next to Web Redirection, choose MDM Redirect from the drop-down, fill in NSP-ACL in the ACL field, choose MDM Portal (default) under Value and for the MDM Server, choose Meraki-MDM
Name: BYOD-COMP
- Check the box next to VLAN and select VLAN ID 50
- Check the Airespace ACL box and enter EMPLOYEE-ONLY
I am going to create reusable compound conditions by navigating to Policy>Policy Elements>Authorization>Compound Conditions. I'm going to create the following conditions:
Name: BYOD-MDM-NO-REG
Conditions:
NetworkAccess:EapAuthentication equal EAP-TLS
MDM:DeviceRegisters equals Unregistered
Name: BYOD-MDM-NO-COMPLIANT
Conditions:
NetworkAccess:EapAuthentication equals EAP-TLS
MDM:DeviceRegisters equals Registered
MDM:DeviceComplianceStatus equals Noncompliant
Name: BYOD-MDM-COMPLIANT
Conditions:
NetworkAccess:EapAuthentication equals EAP-TLS
MDM:DevicesRegisters equals Registered
MDM:DeviceComplianceStatus equals Compliant
MDM:MDMServerReachable equals Reachable
Now that I have my policy elements built, I'm going to create my policies. I'm going to navigate to Policy>Policy Sets and then go to my WirelessDot1x policy set. In my Authorization Policy, I'm going to disable the BYOD-REG rule and create the following rules under my BYOD-Supplicant rules:
Name: MDM Compliant and Registered
If: RegisteredDevices and BYOD-MDM-COMPLIANT
Then: BYOD-COMP
Name: MDM Not Registered
If: RegisteredDevices and BYOD-MDM-NO-REG
Then: BYOD-NO-REG
Name: MDM Not Compliant
If: RegisteredDevices and BYOD-MDM-NO-COMPLIANT
Then: BYOD-NO-COMP
The policy written being like this will result in the following flow:
1 - Endpoint first onboard via BYOD and downloads a certificate
2 - If user is not registered to the Meraki MDM, they are redirected to register if they try to access internal resources. Note: You can tweak and lock this down more but I set it up just to block internal resources
3 - If an endpoint is not compliant with the Meraki MDM policy, they are given only internet access and must remediate or not gain access to internal resources.
4 - Endpoint is compliant and allowed access to all employee access
Note: My policy is using the default BYOD portal for the BYOD rules and putting all registered devices in the precreated RegisteredDevices group. If you would like to change the look of the portal or the group that the endpoints end up in after registration, you can navigate to Administration>Device Portal Management>BYOD to change it there under the portal settings. Also, you could skip the BYOD process in your deployment or have certificates issued through Meraki. I went with utilizing my existing BYOD policy but there are easier ways if you're starting your policy from scratch.
After testing my policy, I can view the flow in Operations>RADIUS Livelog:
This is what the flow will look like to the end user:
Step 1: My user gets the BYOD splash page and starts the BYOD onboarding process
Step 2 - User can enter details about this device they are registering
Step 3 - User is guided to download the Network Assistant Wizard from the Google Marketplace (Android Only)
Step 4 - User downloads the Network Setup Assistant (One time only)
Step 5 - The Network Assistant downloads the certificate from ISE via SCEP and reconnects them to the network (One time only)
Step 6 - User is not registered with MDM so they are guided to a Meraki Systems Manager page to register
Step 7 - The user is guided to download the Meraki Systems Manager from the Google Marketplace
Step 8 - The user downloads the Meraki Systems Manager
Step 9 - After the user downloads the Systems Manager, they register it to the Meraki cloud and it assesses whether their device is compliant with the policy or not. If it is compliant, they are given access to internal resources as an employee. If it is not compliant, they are given only internet access so they can't access proprietary information or potentially create a security risk for the internal network