Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MobileIron + ISE 1.2

Hi All,

I hope, that somebody can help me.

I'm trying to setup ISE with MobileIron in order to get MAC authentication bypass for corporate registered mobile devices.

I succesfuly set up connection between ISE and MobileIron. Authorization rule is set to

Wireless_MAB AND MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable with Authorization rule allow access.

However in reports I see, that the endpoint is not registered (but it really is in the MDM) and therefore the rule is not matched.

When I go to Administration -> Identities -> Endpoints and search for the devices I can see the following attributes:

DeviceRegistrationStatus                                 NotRegistered


However when I go to MDM management and do a test connection, the connection is successfull.

I have allowed firewall comunications from all administration and policy nodes.

Thanks for any hints!



  • AAA Identity and NAC
Everyone's tags (5)
New Member

Karel,We have the same simple


We have the same simple need.  No one at TAC seems to have a clue as to how to deal with mobile corporate assets.  We have no intention of registering these through ISE either. Like you, we have a good MDM connection and restful queries all respond with devices attributes that we want to use.

But ISE won't query the MDM correctly because the design is broken for corporate assets. The focus within the Cisco ISE group has been solely upon BYOD.

This is a simple fix I am sure. We just need to get it in front of the right people.


New Member

Hi,we did a workaround. We


we did a workaround. We set to propagate certificates from MDM to every onboarded device and set wlan profile.

Now they connect to single SSID with authorization rule for internet access only.


New Member

Dear Karel, Thanks for your

Dear Karel,


Thanks for your reply, glad you found a workaround.  So, if I understand correctly, you distribute your certs to the mobile devices from MobileIron and have an authorization rule that checks the cert with a result rule that allows Internet access.  Are you able to use any of the MDM attributes yet?

Such as;

MDM:DeviceRegisterStatus EQUALS Registered AND MDM:MDMServerReachable EQUALS Reachable

We would like to use these MI attributes.



New Member

Hi,yes, I'm able to use the


yes, I'm able to use the attributes, but since then it's useless ... at least from our case of use.

I added also a rule which compares Calling-Station-ID to SAN of the client's certificate. The client's SAN is also provided by MobileIron during the certificate request.