cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

537
Views
5
Helpful
1
Replies
ryan14
Beginner

Configure ISE to restrict BYOD devices connecting to SSID

I am wondering if there is a way to send additional attributes from a Cisco 9800 WLC to our ISE server so that it can accurately profile a mobile endpoint? The issue is that I have mobile devices, for example an iPhone, that an employee is using their AD creds to connect to an SSID. The problem is that ISE doesn't recognize the device as a Apple-Device because the iPhone has a security setting where it changes its own wireless mac OUI. Is there any other way I can isolate mobile devices to block this behavior? I do notice that the phone device name does say iphone. I am wondering if I can somehow send that to ISE to "re-profile" it?

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller  document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.

Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.

View solution in original post

1 REPLY 1
Greg Gibbs
Cisco Employee

The best method to profile wireless Apple endpoints is based on the HTTP user-agent string. You could create a custom Profiling Condition and Policy based upon hostname, but that will no longer work if the user changes the hostname on their personal devices. See the In Depth Look Into Client Profiling on 9800 Wireless LAN Controller  document for more information on the Profiling capabilities of the 9800 WLC. If the Apple device is randomising the MAC Address, you will likely need to modify the Profiling Policies such that the more specific user-agent based policies do not rely on the higher-level Apple MAC OUI match.

Keep in mind that Profiling is just a best guess based on the info provided to the network by the endpoint. If you need a stricter approach, you should consider forcing certificate enrolment via ISE or an MDM prior to allowing network access for BYOD endpoints.

View solution in original post

Content for Community-Ad