ISE and Kindle/Nook Devices

Similar Messages

• ISE and non-802.1x devices

  Hi,
  I am looking for some input about how to profile and authorize non-802.1x devices. These devices are mostly barcode scanners connecting wireless with WPA/2. I am not sure how to authenticate them in ISE.
  We have two scenarios.
  1) LAP/WLC with several SSID/VLAN where the devices authenticate with WPA/2.
  2) Autonomous AP with several SSID/VLAN where the devices authenticate with WPA/2.
  There is a posibility to authenticate them on OUI, but I would like to have atleast another condition. Is it possible to use the WPA PSK?
  For the second scenario; is it possible to use autonomus AP and ISE? Barcode scaners need to go to one VLAN and other non802.1x devices to another. My guess is that the config should be somewhat similar to a switch, regarding AAA/RADIUS.
  Have anyone set up ISE with non802.1x devices? What/How did you do?
  Regards
  Philip

  I've quickly tried to authenticate against ISE with Autonomous AP
  No luck, maybe there is a work around but haven't tried as hard or there might not be:
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  11036 The Message-Authenticator RADIUS attribute is invalid
  Generated on:November 14, 2012 11:11:46 AM CST
  Description
  The Message-Authenticator RADIUS attribute is invalid. This maybe because of mismatched Shared Secrets.
  Resolution Steps
  Check whether the Shared Secrets on the AAA Client and ISE Server, match. Ensure that the AAA Client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE, has no hardware problems.

• Can't open Nook and Kindle app's in 5.1.1

  Why can't I can't open my nook and kindle apps on my iphone now that I upgraded to 5.1.1?  I just upgraded yesterday and now when I press the icons they just flash a couple of times and then nothing happens.  Anyone else having this problem?
  Thanks.

  See if anything in this topic helps: http://forums.adobe.com/thread/1136468

• We have 1 computer and 2 nook colors. Only able to transfer books onto 1 device. please advise

  we have 1 computer and 2 nook colors. Only able to transfer books onto 1 device. please advise

  First, it's protocol to post an issue only once on the forum.  You posted
  twice....
  I read the other thread, and there are a couple of messages being
  displayed.  So, let me go through them also in this post.
  One of the messages was 'no permission to copy here'.  That message tells
  you that there is copy protection in place for that particular ebook.  The
  publisher has specified that you can't copy the ebook to another device.
  This is digital rights management in action, and there's nothing further
  that you can do legally to make this go away.
  Another message relates to whether a device was authorized.  The process
  for setting up an ereader involves going to the website for that ereader
  and registering the device.  When you do that, the site will download a
  small file with that information onto the ereader, and ADE reads that
  file when you attach that ereader to ADE.  If the device wasn't registered,
  ADE won't be able to work with it and gives this message.
  We have a small dilemma here.  It's much easier to register all of
  the ereaders with your Adobe ID, because ADE won't have this problem if
  you do.  But that's not practical because you want to have each ereader
  with its own ID.  So, ADE gives you the ability to switch ADE users by
  deactivating one user ID and then change to another user ID.  That process
  is described in the HELP files of Digital Editions.
  Don't forget the maximum number of two computers and four ereaders, however.
  Hope this helps!
  =====================

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• ISE 1.2 IOS device re-auth (device drops WiFi)

  My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?
  Something like:
  IF user was authenticated within the session timeout value (6hrs)
  THEN automatically let them back on without having to re-authenticate
  Thanks.

  OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer.  I have a similar issue, but only on a 2504 running 7.4.110.  I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong.  Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s.  I no not yet have ISE working with the 2504, but that is coming.  We're not running Flex-Connect.
  My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory.  I am having problems putting the specifications into user-friendly terms.  If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)
  So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.
  I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5.  Given ISE 1.2, is there some mimimal WLC builds I should be using.  Alternatively, is there ANY reason to NOT upgrade to 7.6
  Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2.  I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices.  I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license.  My understanding is that with AD integration, I probably don't need a MyDevices portal.
  In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires.  Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.
  The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time.

• Verizon WiFi - iPad and Kindle

  When will Verizon's wifi service support iPad and Kindle devices?

  For Fios subscribers, Verizon offers free wifi access for laptops at Verizon hotspots.  The free access does not extend to iPads amd other such devices.  I was wondering why.  I believe cablevision, Comcast, and some other other cable companies are offering free access for all types of devices.

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• ISE and Selfservice with single SSID

  Hi, i have:
  WLAN 2504 Controller with 7.2 Software
  ISE 1.1.2
  A single SSID with 802.1x Authentication
  Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
  - The user connects to the single SSID
  - The user configures peap authentication on his device
  - The user authenticates to a ldap directory with username and password
  - After successfull authentication the user will be redirected to the mydevices portal
  - he logs in with his ldap credentials
  - the mac address of his current device is listed in the mydevice portal
  - user adds his device to the known devices list
  - manual reconnect to my ssid
  Is this possible with ISE? Is there a howto out there with exact this scenario?
  Kind regards

  Hello Andreas,
  WLC 2504 supports CWA, CoA & dACL.
  This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
  For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
  http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Regards,
  Ashok

• ISE and wireless CWA

  Need some help on this one.
  This is ISE 1.1.1 and WLC 7.2
  I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
  This is working but I need some clarification :-)
  First I tried to use AuthC policy with
  allowed protocolls= PAP-ASCII + Host lookup
  Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
  But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
  If I change AuthC to
  allowed protocolls=  Default Network Access
  All is working fine for all endpoints.
  Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
  An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
  Thanks!

  I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
  http://www.cisco.com/">
  It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to Sync clock on WLC ISE and AD

  Hi there,
  I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
  The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
  I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
  I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
  Please help..
  Thanks in advance           

  You mean I should sync AD and all my cisco devices with global NTP server?
  Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
  The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

• Sync ipad and kindle

  Is it possible to sync my ipad and kindle? I saw something somewhere that someone had done this but I cant fiind out how to do so.
  I have the kindle app on my ipad but would like to be able to sync the two so I can swap between them. Is it possibel.
  thank you for your help

  All Kindle apps and Kindle devices are synced to your Kindle account on Amazon, not directly to each other. As long as you're logged in using the same Amazon account information on all of the devices they should stay in sync. For further information, you should consult Amazon's help pages.
  http://www.amazon.com/gp/help/customer/display.html/ref=hp_200127470_kreadingapp s?nodeId=200783640
  Best of luck.