I have discovered the following profiling issue in regards to the frequent WiFi disconnects and reauths that has been plaguing our environment since July 2016. The root cause appears to be the ISE profiler is changing Identity Group profiles constantly based on user-agent attribute matching in the Profile Policies. This became an issue when IOS 10 and some late versions of IOS 9 started including “like Mac OS X” statements that are picked up in the User-Agent Attributes when a browser is launched. This introduced the ability for Apple mobile devices like iPhones and iPads to match profile OS_X-Workstation and forces an CoA event to reauth. This really gets out of hand when the user launches another App like the App Store that changes the User-Agent attributes to match back to Apple-iPhone profile causing another CoA reauth. This can easily toggle back and forward, creating havoc on reauth’s as I have recreated in my testing.
Example:
I connect an iPhone to WiFi and it profiles as Identity Group Apple-iPhone based on the following Profile Policies
| Attribute | Value |
|---|
| Attribute:User-Agent | value:iPhone8,2/10.0.2 (14A456) |
| Identity Group | Certainity Factor | Rule |
|---|
| Apple-Device | 10 | MAC:OUI CONTAINS Apple |
| Apple-iPhone | 20 | IP:User-Agent CONTAINS iPhone |
| Total | 30 | |
I then launch browser on the iPhone and the Identity Group changes to OS_X-Workstation based on the following Profile Policies forcing CoA event Reauth.
| Attribute | Value |
|---|
| Attribute:User-Agent | value:Mozilla/5.0 (iPhone\; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1 |
| Identity Group | Certainity Factor | Rule |
|---|
| Workstation | 20 | IP:User-Agent CONTAINS Mac OS X |
| Macintosh-Workstation | 10 | IP:User-Agent CONTAINS Mac |
| OS_X-Workstation | 20 | IP:User-Agent CONTAINS Mac OS X |
| Total | 50 | |
If I launch the App-Store on the iPhone, the Identity Group changes back to Apple-iPhone based on the following Profile Policies forcing CoA event Reauth.
| Attribute | Value |
|---|
| Attribute:User-Agent | value:AppStore/2.0 iOS/10.0.2 model/iPhone8,2 hwp/s8000 build/14A456 (6\; dt:121) |
| Identity Group | Certainity Factor | Rule |
|---|
| Apple-Device | 10 | MAC:OUI CONTAINS Apple |
| Apple-iPhone | 20 | IP:User-Agent CONTAINS iPhone |
| Total | 30 | |
The only resolution I have found was to modify the Profile Policies to either:
- Increase Certainty value of an iPhone matching rule to supersede that of the OS_X-Workstation.
- Create additional unambiguous rules to match like (User-Agent CONTAINS Mobile) to supersede the OS_X-Workstation profile.
I believe it would benefit to match Profile Rules based on other devices attributes that are more reliable than the User-Agent attributes that can change and be unpredictable. Here are some of the other User-Agent values I get for iPhone and iPad.
iPhone User-Agent:
value:Mozilla/5.0 (iPhone\; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1
value:AppStore/2.0 iOS/10.0.2 model/iPhone8,2 hwp/s8000 build/14A456 (6\; dt:121)
value:server-bag [iPhone OS,10.0.2,14A456,iPhone8,2]
value:iPhone8,2/10.0.2 (14A456)
value:AppleNewsWidget/608.0.1 Version/1.0.1
iPad User-Agent:
value:AppleCoreMedia/1.0.0.13G36 (iPad\; U\; CPU OS 9_3_5 like Mac OS X\; en_us)
value:Mozilla/5.0 (iPad\; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36
Thanks,
Ricky Gomez
