Solved: Re: Mobile Devices bypass for Client provisioning on ISE 2.4

deshmukh · ‎02-07-2019

Hello,

We are using ISE 2.4 (patch 5) for guest portal setup. We have setup self-registered Guest_portal with alternate Employee_login_portal using SAML-login credentials. We have enabled client provisioning for Employee_login_portal by using Cisco Temporal agent. For Windows and Macs, we are able to posture check using the temporal agent except for mini/pseudo browsers (which fail to posture check). For phones, device security check fails and we aren't able to figure out a way to bypass the client provisioning page. We want the users to see same landing page they see when they login via laptop which enables them to enter their credentials.

I have tried the following:

Cisco support advised to create duplicate portals for mobile devices without client provisioning and enable feed profiler, Enable profiling on the WLAN on Cisco WLC, create Mobile Devices logical profile w/ add apple-device and android, map authorization profile for mobile devices to get to mobile_device_portal.

Problem: Initially, be it macbook or iphone or ipad; ISE profiles it as apple-device and all devices go to mobile devices portal rather than the guest_portal. Same issue with android, it gets detected at linux-workstation. Eventually after logging in or creating credentials, ISE is able to determine it's OSX_workstation or Apple_iPhone. But it's too late: authorization profile neither changes nor the mini-browser on the mobile device refreshes to reflect the change.

Any help is much appreciated.

howon · ‎02-13-2019

Possible reason the endpoints are not being identified is that the posture update hasn't been done. I suggest making sure the posture update has been done recently so ISE identifies the endpoints properly.

View solution in original post

paul · ‎02-08-2019

You should only be sending iPads, iPhones, etc to the mobile portal not Apple-Devices, but you have two problems

In order for ISE to profile as an iPad/iPhone ISE needs to collect the User Agent most likely. It will collect the user agent as soon as the user hits the portal.
CoA on reprofile is currently broken. It will be fixed when Patch 6 comes out for 2.4.

So even if you got #1 working right your solution may not work because of #2. I have done a similar trick in the past when CoA on reprofile worked.

deshmukh · ‎02-13-2019

Thanks Paul for bringing up the CoA reprofile issue. I had a quick chat with Cisco Rep and they think that even if CoA reprofile is fixed, it wouldn't help my case. As CoA reprofile doesn't work on "redirect" authorization policy.
For eg:
Apple device initial connection hits redirect policy for "Any devices"; but if it's identified as Apple mobile device then it should hit the redirect policy to land on "mobile device portal". This is in general not something CoA reprofile is capable of doing on Guest portal.
I appreciate your reply and helping me go in the right direction.
Thanks,
Andy

howon · ‎02-08-2019

Have you considered using option below to exempt unsupported devices. You need to set it to Compliant:

deshmukh · ‎02-13-2019

Hi howon,
Yes, posture status is set to compliant and I believe ISE is unable to identify if the device is unsupported to exempt it from the posture-check.
Thanks,
Andy

howon · ‎02-13-2019

Possible reason the endpoints are not being identified is that the posture update hasn't been done. I suggest making sure the posture update has been done recently so ISE identifies the endpoints properly.