topic Re: iphone profiled as Cisco-Switch based on nmapOSscan in Network Access Control

iphone profiled as Cisco-Switch based on nmapOSscan

ben.posner — Tue, 17 Dec 2019 16:13:00 GMT

any idea why i have iPhones being profiled as Cisco-Switches???

MAC Address: 2C:33:61:8B:87:BB
Username: xxx.x.xxx
Endpoint Profile: Apple-iPhone
Current IP Address: 1.2.3.4
Location: SOPS

Applications
Attributes
Authentication
Threats
Vulnerabilities

General Attributes
Description
Static Assignment true
Endpoint Policy Apple-iPhone
Static Group Assignment false
Identity Group Assignment Apple-iPhone
Custom Attributes
Attribute String
Attribute Value

No data found. Add custom attributes here.
Other Attributes
AAA-Server PSN
AllowedProtocolMatchedRule Dot1X
AuthenticationIdentityStore GRANITE
AuthenticationMethod MSCHAPV2
AuthorizationPolicyMatchedRule MDM
BYODRegistration Unknown
Called-Station-ID WAP:SSID
Calling-Station-ID 2c-33-61-8b-87-bb
DTLSSupport Unknown
DestinationIPAddress 1.2.3.4
Device Type Device Type#All Device Types#WLC
DeviceCompliance Compliant
DeviceRegistrationStatus NotRegistered
ElapsedDays 0
EndPointPolicy Apple-iPhone <- I forced this to get the device onto the wifi
EndPointProfilerServer PSN
EndPointSource NMAP Probe
FQDN Users-Phone.domain.invalid
FailureReason -
Framed-IP-Address 1.2.3.4
IdentityGroup Apple-iPhone
InactiveDays 0
LastNmapScanTime 2019-Dec-17 10:39:18 EST
Location Location#All Locations#Campus
LogicalProfile Apple-iDevices,Mobile Devices,Apple-iDevices
MACAddress 2C:33:61:8B:87:BB
MDMCompliant true
MDMDiskEncrypted false
MDMEnrolled true
MDMImei xxxx
MDMJailBroken false
MDMManufacturer Apple
MDMModel iPhone 7
MDMOSVersion iOS 13
MDMPhoneNumber xxxx
MDMPinLockSet true
MDMSerialNumber xxxx
MDMServerName Maas360
MDMServerReachable true
MDMUpdateTime 1576596257968
MatchedPolicy Cisco-Device
MessageCode 3000
NAS-IP-Address 10.10.10.245
NAS-Port-Type Wireless - IEEE 802.11
NetworkDeviceName WLC
NmapScanCount 1
OUI Apple, Inc.
PhoneID xxxx
PhoneIDType UDID
PolicyVersion 66
PostureApplicable Yes
SelectedAuthorizationProfiles WLAN FULL ACCESS
StaticAssignment true
StaticGroupAssignment false
Total Certainty Factor 10
User-AD-Last-Fetch-Time 1576596258860
User-Fetch-Department DRA
User-Fetch-Email xxxx
User-Fetch-First-Name xxx
User-Fetch-Last-Name xxx
User-Fetch-User-Name xxx
User-Name xxx
host-name xxxx
ip 1.2.3.4
operating-system Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)
operating-system-result Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)

Re: iphone profiled as Cisco-Switch based on nmapOSscan

Mike.Cifelli — Tue, 17 Dec 2019 17:04:20 GMT

The default out of the box 'Cisco-Device' policy is setup to perform an OS-scan via the configured NMAP action. The OS-scan performs tcp/udp fingerprinting to determine its results. My suggestion would be to either change the action to NONE to see if that changes your profiled result. Or even better would be to create your own policies with a higher MCF to ensure that your byod devices/corporate apple devices get profiled based on attributes that you wish to profile on.

Re: iphone profiled as Cisco-Switch based on nmapOSscan

ben.posner — Tue, 17 Dec 2019 18:00:36 GMT

okay i can see why it was profiled as such based on the nmap scan result.

so now i'd like to know why the nmapOSscan thinks the iphone is a Nexus OS device. where can i see the results of that scan? and why on earth would it get that kind of result? i mean this is the 10th or 11th iteration of this product and it still isn't profiling things properly. and it's not like this was a brand new phone or something, this is an iphone7.

Re: iphone profiled as Cisco-Switch based on nmapOSscan

Mike.Cifelli — Tue, 17 Dec 2019 18:31:01 GMT

I would suggest taking a look here as it will aide in answering additional questions:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
As I mentioned earlier, I personally prefer building out my own profiles with higher MCF in an attempt to alleviate issues such as the one you have identified.

Re: iphone profiled as Cisco-Switch based on nmapOSscan

andrewswanson — Tue, 17 Dec 2019 22:01:15 GMT

Have a look at bug CSCuz62668 (ISE NMAP probe profiles iPad and iPhone as Cisco-Device).

It is listed as fixed but doesn't give a fixed release version.

Also, other thread with same issue is below:

https://community.cisco.com/t5/identity-services-engine-ise/ise-device-profiling-nmap-os-detected/m-p/3749177

hth

Andy

Re: iphone profiled as Cisco-Switch based on nmapOSscan

gerald.scott — Wed, 18 Dec 2019 01:40:04 GMT

Per the bug ID that @andrewswanson mentioned, it is recommended to disable the NMAP OS scan for apple devices. I had to do this in my ISE 2.4 P9 environment for a different issue, and Apple devices on my wireless network still get profiled properly due to the User-Agent attribute being passed. Unfortunately, the User-Agent is only passed via wireless and not the hard line, but it avoids mis-classification of apple devices caused by NMAP scans.