10-15-2020 06:53 AM
I am wondering if there is a way to send additional attributes from a Cisco 9800 WLC to our ISE server so that it can accurately profile a mobile endpoint? The issue is that I have mobile devices, for example an iPhone, that an employee is using their AD creds to connect to an SSID. The problem is that ISE doesn't recognize the device as a Apple-Device because the iPhone has a security setting where it changes its own wireless mac OUI. Is there any other way I can isolate mobile devices to block this behavior? I do notice that the phone device name does say iphone. I am wondering if I can somehow send that to ISE to "re-profile" it?
Solved! Go to Solution.
10-15-2020 05:49 PM
The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.
Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.
10-15-2020 05:49 PM
The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.
Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide