Re: Andoid ISE Policy Set Condition "Session Device-OS contains/eqauls android" fails

Scott Gillies · ‎10-25-2019

I have a BYOD set up which requires a seperate rule for Android devices due to the need to apply a seperate ACL to allow it access to Google Play to obtain the SPW/NSP software.

The following are 2 rules in the order they would be checked

RULE 1:

Android BYOD Login

If Wireless_MAB

AND Airespace-Wlan-ID Equals 4

AND Session Device-OS contains Android

Then Cisco_WebAuth + Google ACL

RULE 2:

Any Device BYOD Login:

If Wireless_MAB

AND Airespace-Wlan-ID Equals 4

Then Cisco_WebAuth + CWA-Redirect ACL

All Android devices never pass RULE 1 but always pass RULE 2

I have changed the condition to 'EQUALS Android' which fails

I have also substituted the Device-OS to iOS and it fails

I have checked the Identites Endpoints and the devices are listed with the correct operating system profile

Can anyone tell me what is wrong?

Scott Gillies · ‎10-25-2019

Also

Running ISE 2.4 on Patch 10

CarlCarlson1234 · ‎10-28-2019

I don't think that "Session:Device-OS" would be an attribute that is populated during MAB authentication. I believe that comes in part from the user string that the device sends when it authenticates to your byod portal (This happens after the initial MAB authentication.) You could try something like EndPoints:OperatingSystem contains Android or EndPoints:EndPointPolicy Contains Android.

If that doesn't work, you could figure out a attribute to key off of by running an endpoint debug (Operations, Diagnostic Tools) on an android device that is connecting to your open ssid for the first time, the debug will contain all initial attributes that are passed during that first MAB auth and you can try to fine the correct attribute out of that.