Workspace UEM 2402 brings key enhancement on the integration with Cisco ISE v3.1, which enables the use of Device UUID (GUID) to identify devices connecting to ISE, solving the issue caused by MAC addresses randomization.

To learn more check out the Integrating Workspace ONE UEM and Cisco ISE v3.1 and Beyond.

Any idea when it will be GA for onprem customers?

@Mohamed Abdelhamid we are targeting 2402 on-premises sometime this summer. Stay tuned !!!

The techzone article now states UEM version 2410. The latest available on-prem version is 2406. When can on-prem customers expect this?

Hi Team,

I need a help we are integrate Omnissa Workspace One  (RFGun) with Cisco ISE, do we have a document which the traffic flow Omnissa Workspace One  with Cisco ISE. 

The configuration link i have.

@Virtual_Leo Your understanding is correct. The Cisco ISE 3.1 integration with Workspace ONE UEM is expected to be live/GA with UEM 2410 for both SaaS and On-Premise environments.

@Ricky KocharekarNot sure what do you mean RFGun here. Are you talking about Rugged RF Scanners? In any case, the feature you are looking for would be the same as mentioned above. So, UEM 2410 is what you would need.

• https://techzone.omnissa.com/resource/integrating-workspace-one-uem-and-cisco-ise-v31-and-beyond

yes.  Do we have a document describing and showing traffic flow?

@Ricky Kocharekar We currently don't have a public version of the process flow diagram but are working to add it under the Omnissa TechZone blog referenced above. So, please stay tuned for that!

Having said that, here's a summary of the process flow with Cisco ISE v2 (Components - Device, Network, Cisco ISE Portal, Workspace ONE UEM):

• Device tries to connect to the available network presenting it's MAC address.
• Cisco ISE extracts the MAC address and then presents that to Workspace ONE UEM to determine the compliance state of the device. As Cisco ISE and Workspace ONE UEM is already integrated, Cisco ISE is able to pull compliance information, which is used to determine level of network access to grant to the device.
• Once UEM validates that the device is compliant, Cisco ISE then allows access to the device to connect to the network.

Existing Challenges: Random & changing MAC addresses:

• MAC address randomization implemented by different platforms for security and privacy reasons.
• Cisco ISE and Workspace ONE UEM may have different MAC addresses for the same device if the device logged into the network with a different MAC address.
• ISE makes a call to the Workspace ONE UEM server, UEM doesn't identify the MAC address belonging to any valid device,  there by ISE failing to authenticate and grant access to network resources.

Cisco ISE V3.1 to support:

• Lookup of devices without relying on a MAC address.
• Admin can configure Workspace ONE UEM to issue wifi certs with Device UUID as a SAN URI attribute, which will be used by Cisco ISE to uniquely identify a device.

Process flow with Cisco ISE v3.1 (Components - Device, Network, Cisco ISE Portal, Workspace ONE UEM):

• Device tries to connect to the network presenting a certificate which contains the Device UUID attribute embedded in it.
  • The certificate will have to be deployed via Workspace ONE UEM by configuring the Wifi + Credentials MDM payload.
    • IMPORTANT: An admin would need to enable "Cert - SAN URI, GUID" based integration on the Cisco ISE console by adding or editing Workspace ONE UEM as the external MDM server.

• Cisco ISE extracts the unique Device UUID from the certificate and checks with UEM if that is valid.
• Once the compliance check/validation is done, Cisco ISE then allows access to the device to connect to the network.

IMPORTANT: Please note that we should still have support for using the MAC address as the attribute with this new integration instead of certificate auth - this is for anyone who does not currently have a CA setup for this task or cannot use it for some reason. So, this feature would be backward compatible.