Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 231

    Page 231 •PhoneNumber Supported MDM Servers SupportedMDMserversincludeproductsfromthefollowingvendors: •Airwatch,Inc. •GoodTechnology •MobileIron,Inc. •Zenprise,Inc. •SAPAfaria •Fiberlink/IBMMaaS •Meraki Ports Used by the MDM Server ThefollowingtableliststheportsthatmustbeopenbetweentheCiscoISEandtheMDMservertoenable themtocommunicatewitheachother.RefertotheMDMServerDocumentationforalistofportsthatmust beopenontheMDMagentandserver. Table 13: Ports Used by the MDM Server PortsMDM Server 443MobileIron 443Zenprise... 
    •PhoneNumber
Supported MDM Servers
SupportedMDMserversincludeproductsfromthefollowingvendors:
•Airwatch,Inc.
•GoodTechnology
•MobileIron,Inc.
•Zenprise,Inc.
•SAPAfaria
•Fiberlink/IBMMaaS
•Meraki
Ports Used by the MDM Server
ThefollowingtableliststheportsthatmustbeopenbetweentheCiscoISEandtheMDMservertoenable
themtocommunicatewitheachother.RefertotheMDMServerDocumentationforalistofportsthatmust
beopenontheMDMagentandserver.
Table 13: Ports Used by the MDM Server
PortsMDM Server
443MobileIron
443Zenprise...

    Page 232

    Page 232 MDM Dictionary Attributes AfteryouaddtheMDMserverdefinitioninCiscoISE,theMDMdictionaryattributesareavailableinCisco ISEthatyoucanuseinauthorizationpolicies.Youcanviewthedictionaryattributesthatareavailablefor useinauthorizationpolicies. WhenyouareusingtheseMDMdictionaryattributesinpolicies,youcannotdeletetheMDMserver configurationfromCiscoISE.ToremovetheMDMserverconfiguration,youmustfirstremovetheMDM dictionaryattributesfrompolicies,andthenremovetheMDMserverfromCiscoISE. MDM Integration Process Flow... 
    MDM Dictionary Attributes
AfteryouaddtheMDMserverdefinitioninCiscoISE,theMDMdictionaryattributesareavailableinCisco
ISEthatyoucanuseinauthorizationpolicies.Youcanviewthedictionaryattributesthatareavailablefor
useinauthorizationpolicies.
WhenyouareusingtheseMDMdictionaryattributesinpolicies,youcannotdeletetheMDMserver
configurationfromCiscoISE.ToremovetheMDMserverconfiguration,youmustfirstremovetheMDM
dictionaryattributesfrompolicies,andthenremovetheMDMserverfromCiscoISE.
MDM Integration Process Flow...

    Page 233

    Page 233 Set Up MDM Servers With Cisco ISE TosetupMDMserverswithCiscoISE,youmustperformthefollowinghigh-leveltasks: Procedure Step 1ImportMDMservercertificateintoCiscoISE. Step 2Createmobiledevicemanagerdefinitions. Step 3ConfigureACLsontheWirelessLANControllers. Step 4Configureauthorizationprofileforredirectingnon-registereddevices. Step 5ConfigureauthorizationpolicyrulesfortheMDMusecases. Import MDM Server Certificate into Cisco ISE... 
    Set Up MDM Servers With Cisco ISE
TosetupMDMserverswithCiscoISE,youmustperformthefollowinghigh-leveltasks:
Procedure
Step 1ImportMDMservercertificateintoCiscoISE.
Step 2Createmobiledevicemanagerdefinitions.
Step 3ConfigureACLsontheWirelessLANControllers.
Step 4Configureauthorizationprofileforredirectingnon-registereddevices.
Step 5ConfigureauthorizationpolicyrulesfortheMDMusecases.
Import MDM Server Certificate into Cisco ISE...

    Page 234

    Page 234 What to Do Next CreateMobileDeviceManagerDefinitions,onpage188. Create Mobile Device Manager Definitions YoucancreateoneormoreMobileDeviceManager(MDM)definitionsforexternalMDMserverstohelp ensureCiscoISEisabletoobtainthemostup-to-datedeviceconnectionstatusfromlogged-inuserdevices aspossibleondemand.(AlthoughyoucanconfiguremultipleMDMserverdefinitions,youcanactivateonly oneMDMserverwithwhichCiscoISEinteroperatesatatime.) Before You Begin EnsurethatyouhaveimportedtheMDMservercertificateintoCiscoISE.... 
    What to Do Next
CreateMobileDeviceManagerDefinitions,onpage188.
Create Mobile Device Manager Definitions
YoucancreateoneormoreMobileDeviceManager(MDM)definitionsforexternalMDMserverstohelp
ensureCiscoISEisabletoobtainthemostup-to-datedeviceconnectionstatusfromlogged-inuserdevices
aspossibleondemand.(AlthoughyoucanconfiguremultipleMDMserverdefinitions,youcanactivateonly
oneMDMserverwithwhichCiscoISEinteroperatesatatime.)
Before You Begin
EnsurethatyouhaveimportedtheMDMservercertificateintoCiscoISE....

    Page 235

    Page 235 Step 13ClickSubmittosavetheMDMserverdefinition.OnlyafteryousuccessfullyconnectCiscoISEwiththe MDMserver,theMDMdictionarygetspopulatedinCiscoISE. What to Do Next ConfigureanAuthorizationProfileforRedirectingNonregisteredDevices Set Permissions When AD User in the Domain Admin Group ForWindows2008R2,Windows2012,andWindows2012R2,theDomainAdmingroupdoesnothavefull controloncertainregistrykeysintheWindowsoperatingsystembydefault.TheActiveDirectoryadmin... 
    Step 13ClickSubmittosavetheMDMserverdefinition.OnlyafteryousuccessfullyconnectCiscoISEwiththe
MDMserver,theMDMdictionarygetspopulatedinCiscoISE.
What to Do Next
ConfigureanAuthorizationProfileforRedirectingNonregisteredDevices
Set Permissions When AD User in the Domain Admin Group
ForWindows2008R2,Windows2012,andWindows2012R2,theDomainAdmingroupdoesnothavefull
controloncertainregistrykeysintheWindowsoperatingsystembydefault.TheActiveDirectoryadmin...

    Page 236

    Page 236 ThesepermissionsareonlyrequiredforthefollowingActiveDirectoryversions: •Windows2003 •Windows2003R2 •Windows2008 •Windows2008R2 •Windows2012 •Windows2012R2 Add Registry Keys to Allow ISE to Connect to the Domain Controller YoumustmanuallyaddsomeregistrykeystothedomaincontrollertoallowISEtoconnectasaDomain User,andretrieveloginauthenticationevents.Anagentisnotrequiredonthedomaincontrollersoronany machineinthedomain.... 
    ThesepermissionsareonlyrequiredforthefollowingActiveDirectoryversions:
•Windows2003
•Windows2003R2
•Windows2008
•Windows2008R2
•Windows2012
•Windows2012R2
Add Registry Keys to Allow ISE to Connect to the Domain Controller
YoumustmanuallyaddsomeregistrykeystothedomaincontrollertoallowISEtoconnectasaDomain
User,andretrieveloginauthenticationevents.Anagentisnotrequiredonthedomaincontrollersoronany
machineinthedomain....

    Page 237

    Page 237 Procedure Step 1Runthedcomcnfgtoolfromthecommandline. Step 2ExpandComponentServices. Step 3ExpandComputers>MyComputer. Step 4SelectActionfromthemenubar,clickproperties,andclickCOMSecurity. Step 5MakesurethattheaccountthatISEwilluseforbothAccessandLaunchhasAllowpermissions.ThatActive Directoryusershouldbeaddedtoallthefouroptions(EditLimitsandEditDefaultforbothAccessPermissions andLaunchandActivationPermissions). Step 6AllowallLocalandRemoteaccessforbothAccessPermissionsandLaunchandActivationPermissions.... 
    Procedure
Step 1Runthedcomcnfgtoolfromthecommandline.
Step 2ExpandComponentServices.
Step 3ExpandComputers>MyComputer.
Step 4SelectActionfromthemenubar,clickproperties,andclickCOMSecurity.
Step 5MakesurethattheaccountthatISEwilluseforbothAccessandLaunchhasAllowpermissions.ThatActive
Directoryusershouldbeaddedtoallthefouroptions(EditLimitsandEditDefaultforbothAccessPermissions
andLaunchandActivationPermissions).
Step 6AllowallLocalandRemoteaccessforbothAccessPermissionsandLaunchandActivationPermissions....

    Page 238

    Page 238 Set Permissions for Access to WMI Root/CIMv2 Name Space Bydefault,ActiveDirectoryusersdonothavepermissionsfortheExecuteMethodsandRemoteEnable. Youcangrantaccessusingthewmimgmt.mscMMCconsole. Cisco Identity Services Engine Administrator Guide, Release 1.3 192 Set Up MDM Servers With Cisco ISE 
    Set Permissions for Access to WMI Root/CIMv2 Name Space
Bydefault,ActiveDirectoryusersdonothavepermissionsfortheExecuteMethodsandRemoteEnable.
Youcangrantaccessusingthewmimgmt.mscMMCconsole.
   Cisco Identity Services Engine Administrator Guide, Release 1.3
192
Set Up MDM Servers With Cisco ISE

    Page 239

    Page 239 Procedure Step 1ClickStart>Runandtypewmimgmt.msc. Step 2Right-clickWMIControlandclickProperties. Step 3UndertheSecuritytab,expandRootandchooseCIMV2. Step 4ClickSecurity. Step 5AddtheActiveDirectoryuser,andconfiguretherequiredpermissionsasshownbelow. Figure 18: Required Permissions for WMI Root\CIMv2 Name Space Open Firewall Ports for WMI Access ThefirewallsoftwareontheActiveDirectoryDomainControllermayblockaccesstoWMI.Youcaneither... 
    Procedure
Step 1ClickStart>Runandtypewmimgmt.msc.
Step 2Right-clickWMIControlandclickProperties.
Step 3UndertheSecuritytab,expandRootandchooseCIMV2.
Step 4ClickSecurity.
Step 5AddtheActiveDirectoryuser,andconfiguretherequiredpermissionsasshownbelow.
Figure 18: Required Permissions for WMI Root\CIMv2 Name Space
Open Firewall Ports for WMI Access
ThefirewallsoftwareontheActiveDirectoryDomainControllermayblockaccesstoWMI.Youcaneither...

    Page 240

    Page 240 •TCP135:GeneralRPCPort.WhendoingasynchronousRPCcalls,theservicelisteningonthisport tellstheclientwhichportthecomponentservicingthisrequestisusing. •UDP138:NetbiosDatagramService •TCP139:NetbiosSessionService •TCP445:SMB Higherportsareassigneddynamicallyoryoucanconfigurethemmanually.Werecommendthatyouadd %SystemRoot%\System32\dllhost.exeasatarget.Thisprogrammanagesportsdynamically. AllfirewallrulescanbeassignedtospecificIP(ISEIP). Configure an Authorization Profile for Redirecting Nonregistered Devices... 
    •TCP135:GeneralRPCPort.WhendoingasynchronousRPCcalls,theservicelisteningonthisport
tellstheclientwhichportthecomponentservicingthisrequestisusing.
•UDP138:NetbiosDatagramService
•TCP139:NetbiosSessionService
•TCP445:SMB
Higherportsareassigneddynamicallyoryoucanconfigurethemmanually.Werecommendthatyouadd
%SystemRoot%\System32\dllhost.exeasatarget.Thisprogrammanagesportsdynamically.
AllfirewallrulescanbeassignedtospecificIP(ISEIP).
Configure an Authorization Profile for Redirecting Nonregistered Devices...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals