cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1824
Views
5
Helpful
1
Replies

Configure ISE to restrict BYOD devices connecting to SSID

ryan14
Level 1
Level 1

I am wondering if there is a way to send additional attributes from a Cisco 9800 WLC to our ISE server so that it can accurately profile a mobile endpoint? The issue is that I have mobile devices, for example an iPhone, that an employee is using their AD creds to connect to an SSID. The problem is that ISE doesn't recognize the device as a Apple-Device because the iPhone has a security setting where it changes its own wireless mac OUI. Is there any other way I can isolate mobile devices to block this behavior? I do notice that the phone device name does say iphone. I am wondering if I can somehow send that to ISE to "re-profile" it?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller  document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.

Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.

View solution in original post

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller  document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.

Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: