Cisco ISE Integration

Mobile Device Management (MDM) servers secure, monitor, manage, and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers act as a policy server that controls the use of some applications on a mobile device (for example, an email application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on access control lists (ACL). Cisco ISE queries the MDM servers for the necessary device attributes to create ACLs that provide network access control for those devices.

Following document illustrates how to integrate Urmobo server as an MDM server in ISE and validate it.

Cisco ISE Configuration

            Now that we have configured required config on Urmobo side, we will now try to integrate it with Cisco ISE configuration.

• In order to have secure communication between ISE and Urmobo, you are supposed to import the required certificates from Urmobo and import into ISE. Download the Urmobo MDM certificates from https://urmobonac.urmobo.com.br  in the PEM (chain) format. Urmobo releases new certificates periodically. If the integration fails with the error “Connection Failed to the MDM server: There is a problem with the server Certificates or ISE trust store,” we recommend that you take a packet capture on the Cisco ISE PAN to determine the exact certificates sent by the MDM server. When you know which certificates are in use, you can download the certificates from the Urmobo PKI repository. Make sure to download the certificates required for trusted communication between Cisco ISE and Urmobo MDM. 

• In the Cisco ISE administration portal, choose Administration > System > Certificates > Trusted Certificates. For each of the four certificates you just downloaded, carry out the following steps:
  • Click Import.
  • Click Choose File and choose the downloaded certificate from your system.
  • Allow the certificate to be trusted for use by Infrastructure and Cisco Services. In the Usage area, check the Trust for authentication within ISE and Trust for authentication of Cisco Services check boxes.
  • Click Save.

• Having your API credentials from Urmobo Portal (If you don’t have one: https://urmobohelp.zendesk.com/hc/en-us/articles/42116177671059-How-to-generate-Urmobo-API-access-credentials, in the Cisco ISE administration portal, choose Administration > Network Resources > External MDM.

1.  
   • Click Add

1.  
   • Name – name of the MDM server in ISE for reference.
   • Server Type – Mobile Device Manager
   • Authentiation Type – Basic
   • Hostname - urmobonac.urmobo.com.br
   • Port - 443
   • Instance Name – <cisco-ise>
   • Username - <username-provided>
   • Password - <password-provided>

1.  
   • After Click Test Connection to ensure Cisco ISE can connect to the Urmobo MDM.

• When the connection test is successful, choose Enabled from the Status drop-down list. Click Save.
• Ensure ISE shows Urmobo configuration after saving.

Verification

Following section is to validate the integrated ISE + Urmobo MDM server to get the endpoint compliance/attributes and accordingly admin the endpoint network access.  

• In the Cisco ISE administration portal choose Administration > Network Resources > External MDM. The Urmobo server added must be displayed in the list of MDM Servers.

• Navigate to Policy > Policy Sets and create authorization policies in a policy set as shown below. Basically, we are trying to create policies for
  • UnRegistered
  • Registered & Compliant
  • Registered & NonCompliant

• You can now authenticate using the endpoint which was registered against MDM Urmobo and verify whether your configuration is working fine or not. If everything is working fine, endpoint should be matching with the policies that you have written above.

• You can come to know the attributes retrieved from MDM Urmobo server by going to context-visibility - > endpoints > Compliance > <endpoint-ID>

NOTE: Cisco ISE supports Urmobo MDM, an endpoint management solution, as an MDM integration. Urmobo MDM supports Cisco ISE as a network access control (NAC) service.