Beruflich Dokumente
Kultur Dokumente
Service Engine
Secure Access How -To Guides Series
Table of Contents
Introduction ................................................................................................................................3
What Is the Cisco TrustSec System?...........................................................................................................3
About the TrustSec How-To Guides ............................................................................................................3
Mobile Device Management (MDM) .................................................................................................................................4
Overview ......................................................................................................................................................4
MDM Integration Use-case ....................................................................................................................4
Components .................................................................................................................................................5
Using MDM Integration Configuration Steps ..................................................................................................................7
Cisco ISE and MDM integration configuration .............................................................................................7
Review MDM Dictionaries ..........................................................................................................................11
Configure ISE Authorization Policies .........................................................................................................12
Appendix A: Airwatch Configuration ...........................................................................................................................17
Appendix B: References ................................................................................................................................................19
Cisco TrustSec System: .............................................................................................................................19
Device Configuration Guides: ....................................................................................................................19
Page 2
Introduction
What Is the Cisco TrustSec System?
Cisco TrustSec, a core component of the Cisco SecureX Architecture, is an intelligent access control solution.
TrustSec mitigates security risks by providing comprehensive visibility into whom and what is connecting across the
entire network infrastructure, and exceptional control over what and where they can go.
TrustSec builds on your existing identity-aware access layer infrastructure (switches, wireless controllers, and so on).
The solution and all the components within the solution are thoroughly vetted and rigorously tested as an integrated
system.
In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control,
the TrustSec system it also includes advanced identity and enforcement capabilities such as flexible authentication,
Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments,
and more.
RADIUS
Guest Services
Posture
Profiler
Ingress Enforcement
Wireless
user
SXP
Wired
user
y
rit ag
cu T
Se oup
Gr
Campus
Network
Gr Sec
ou uri
p ty
Ta
g
MACsec
Data Center
Ingress Enforcement
Egress Enforcement
Figure 1.
Page 3
Device registration- Non registered endpoints accessing the network on-premises will be redirected to
registration page on MDM server for registration based on user role, device type, etc
Remediation- Non compliant endpoints will be given restricted access based on compliance state
Periodic compliance check Periodically check with MDM server for compliance
Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.: remote
wiping of the managed device)
Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe,
Corporate Wipe and PIN Lock.
Page 4
Components
Table 1. Table 1: Components Used in this Document
Component
Hardware
Features Tested
Cisco IOS
Software
Release
The Cisco
Identity Services
Engine (ISE)
Any: 1121/3315,
3355, 3395, VMware
ISE 1.2
MDM Server
MDM
Certificate
Authority Server
(Optional)
N/A
Wireless LAN
Controller (WLC)
5500-series
Unified Wireless
7.2.???
N/A
2500-series
WLSM-2
Virtual Controller
Test Devices:
Cisco Systems 2015
Page 5
Component
Hardware
Features Tested
Cisco IOS
Software
Release
and higher
Google Android
2.3 and higher
Within this document, we demonstrated MDM configuration only. We recommend using our How-To-Guide to
configure ISE and WLC to a recommended state.
How-to-Guide:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificate
s.pdf
More guides are available at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Page 6
Export MDM Server Certificate and save it on local machine. If using FireFox, access Airwatch Server and
then click on Lock Icon in the address bar and then click More Information.
Page 7
Step 2
Click View Certificate -> Detail -> Export -> Save certificate to any desired location.
Page 8
Figure 6.
Step 3
Step 4
Step 5
Page 9
Figure 8.
Step 6
Step 7
Page 10
Step 9
Step 10
Navigate to: Policy -> Policy Elements -> Dictionaries -> MDM -> Dictionary Attribute.
Page 11
Page 12
Create an ACL named NSP-ACL in the Wireless LAN Controller, which would be used in the policy
later to redirect clients selected for BYOD supplicant provisioning, Certificate provisioning and MDM
Quarantine.
Figure 15. Access Control List for re-directing client to BYOD flow
Page 13
Create an Authorization Profile named MDM_Quarantine for devices which are not in compliant to
MDM polices. In this case all non-compliant devices will be redirected to ISE and presented with a
message.
Click Policy Policy Elements Results, Click Authorization Authorization Profiles ADD
Figure 17.
Page 14
Create Authorization Policy. Click Policy Authorization Authorization Profiles. Click Insert
New Rule Below.
Page 15
Please see the HowTo guide: BYOD Using Certificates for Differentiated Access for more information on
provisioning certificates along with the supplicant profile.
Note: MDM policies could also be defined in more granular details on Cisco ISE, e.g
Demonstrations
If interested in looking at the end-user experience for on-boarding i-devices, Android, Windows and MAC OSx, please
visit the following website.
http://wwwin.cisco.com/tech/snsbu/prod-sols/ise/#sectionName=4
Page 16
Step 1
Verify admin account privileges for REST API, i.e. account used by ISE to send a REST API call to
MobileIron Server
Review the Default Security Policies
Review the iOS APP installation configuration (AnyConnect)
Access the MobileIron administrative web interface.
a. On Admin PC, launch Mozilla Firefox web browser. Enter MobileIron URL in the address bar:
https://mobileiron.demo.local/admin
a. Login with username and password. Once you login, the Asset Tracking tab should display.
Step 2
Step 3
Step 4
Navigate to Menu > Accounts > Administrators. From there, click the user account (for API access) and
the click EDIT.
Click Roles, then Add Role.
Select REST API MDM, name the Role, add Description and click SAVE.
Page 17
Step
Step
Step
Step
5
6
7
8
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/own_device.html
Page 18
Appendix B: References
Cisco TrustSec System:
http://www.cisco.com/go/trustsec
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Page 19