10-28-2016 12:47 PM
I have discovered the following profiling issue in regards to the frequent WiFi disconnects and reauths that has been plaguing our environment since July 2016. The root cause appears to be the ISE profiler is changing Identity Group profiles constantly based on user-agent attribute matching in the Profile Policies. This became an issue when IOS 10 and some late versions of IOS 9 started including “like Mac OS X” statements that are picked up in the User-Agent Attributes when a browser is launched. This introduced the ability for Apple mobile devices like iPhones and iPads to match profile OS_X-Workstation and forces an CoA event to reauth. This really gets out of hand when the user launches another App like the App Store that changes the User-Agent attributes to match back to Apple-iPhone profile causing another CoA reauth. This can easily toggle back and forward, creating havoc on reauth’s as I have recreated in my testing.
Example:
I connect an iPhone to WiFi and it profiles as Identity Group Apple-iPhone based on the following Profile Policies
Attribute | Value |
---|---|
Attribute:User-Agent | value:iPhone8,2/10.0.2 (14A456) |
Identity Group | Certainity Factor | Rule |
---|---|---|
Apple-Device | 10 | MAC:OUI CONTAINS Apple |
Apple-iPhone | 20 | IP:User-Agent CONTAINS iPhone |
Total | 30 |
I then launch browser on the iPhone and the Identity Group changes to OS_X-Workstation based on the following Profile Policies forcing CoA event Reauth.
Attribute | Value |
---|---|
Attribute:User-Agent | value:Mozilla/5.0 (iPhone\; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1 |
Identity Group | Certainity Factor | Rule |
---|---|---|
Workstation | 20 | IP:User-Agent CONTAINS Mac OS X |
Macintosh-Workstation | 10 | IP:User-Agent CONTAINS Mac |
OS_X-Workstation | 20 | IP:User-Agent CONTAINS Mac OS X |
Total | 50 |
If I launch the App-Store on the iPhone, the Identity Group changes back to Apple-iPhone based on the following Profile Policies forcing CoA event Reauth.
Attribute | Value |
---|---|
Attribute:User-Agent | value:AppStore/2.0 iOS/10.0.2 model/iPhone8,2 hwp/s8000 build/14A456 (6\; dt:121) |
Identity Group | Certainity Factor | Rule |
---|---|---|
Apple-Device | 10 | MAC:OUI CONTAINS Apple |
Apple-iPhone | 20 | IP:User-Agent CONTAINS iPhone |
Total | 30 |
The only resolution I have found was to modify the Profile Policies to either:
I believe it would benefit to match Profile Rules based on other devices attributes that are more reliable than the User-Agent attributes that can change and be unpredictable. Here are some of the other User-Agent values I get for iPhone and iPad.
iPhone User-Agent:
value:Mozilla/5.0 (iPhone\; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1
value:AppStore/2.0 iOS/10.0.2 model/iPhone8,2 hwp/s8000 build/14A456 (6\; dt:121)
value:server-bag [iPhone OS,10.0.2,14A456,iPhone8,2]
value:iPhone8,2/10.0.2 (14A456)
value:AppleNewsWidget/608.0.1 Version/1.0.1
iPad User-Agent:
value:AppleCoreMedia/1.0.0.13G36 (iPad\; U\; CPU OS 9_3_5 like Mac OS X\; en_us)
value:Mozilla/5.0 (iPad\; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36
Thanks,
Ricky Gomez
10-30-2016 08:42 AM
A known defect -- CSCvb52519 iPhones being profiled as OS X Workstations
Please try updating profiler policies to the latest via online updates, which is down currently, or, in case of ISE 2.1, via offline updates. If that does not resolve it for you, please open a TAC case.
11-21-2016 10:54 AM
Thank you hslai for the reply. I was made aware of the bug mentioned above, however this did not fix the issue. It was suggested to turned off the Profiler Feed Services and revert back last update. That had no affect on the issue of devices profiling incorrectly. I have re-enabled the Feed Services and getting the latest updates but still no change to status. The only way to avoid the iPhone from profiling incorrectly is creating custom profiler match rules that supersede the certainty value of the OS X Workstation rule.
This has improved the incorrect profiling issue. However, there are still re-authentication requests occurring randomly with the termination cause of "Admin Reset". I have been working exclusively with TAC to determine cause of these Admin Reset's from debugs, but have not found a defined cause.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide