Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
5
Helpful
5
Replies

iphone profiled as Cisco-Switch based on nmapOSscan

ben.posner
Level 1
Level 1

‎12-17-2019 08:13 AM

any idea why i have iPhones being profiled as Cisco-Switches???

 

MAC Address: 2C:33:61:8B:87:BB
Username: xxx.x.xxx
Endpoint Profile: Apple-iPhone
Current IP Address: 1.2.3.4
Location: SOPS

Applications
Attributes
Authentication
Threats
Vulnerabilities

General Attributes
Description
Static Assignment true
Endpoint Policy Apple-iPhone
Static Group Assignment false
Identity Group Assignment Apple-iPhone
Custom Attributes
Attribute String
Attribute Value



No data found. Add custom attributes here.
Other Attributes
AAA-Server PSN
AllowedProtocolMatchedRule Dot1X
AuthenticationIdentityStore GRANITE
AuthenticationMethod MSCHAPV2
AuthorizationPolicyMatchedRule MDM
BYODRegistration Unknown
Called-Station-ID WAP:SSID
Calling-Station-ID 2c-33-61-8b-87-bb
DTLSSupport Unknown
DestinationIPAddress 1.2.3.4
Device Type Device Type#All Device Types#WLC
DeviceCompliance Compliant
DeviceRegistrationStatus NotRegistered
ElapsedDays 0
EndPointPolicy Apple-iPhone <- I forced this to get the device onto the wifi
EndPointProfilerServer PSN
EndPointSource NMAP Probe
FQDN Users-Phone.domain.invalid
FailureReason -
Framed-IP-Address 1.2.3.4
IdentityGroup Apple-iPhone
InactiveDays 0
LastNmapScanTime 2019-Dec-17 10:39:18 EST
Location Location#All Locations#Campus
LogicalProfile Apple-iDevices,Mobile Devices,Apple-iDevices
MACAddress 2C:33:61:8B:87:BB
MDMCompliant true
MDMDiskEncrypted false
MDMEnrolled true
MDMImei xxxx
MDMJailBroken false
MDMManufacturer Apple
MDMModel iPhone 7
MDMOSVersion iOS 13
MDMPhoneNumber xxxx
MDMPinLockSet true
MDMSerialNumber xxxx
MDMServerName Maas360
MDMServerReachable true
MDMUpdateTime 1576596257968
MatchedPolicy Cisco-Device
MessageCode 3000
NAS-IP-Address 10.10.10.245
NAS-Port-Type Wireless - IEEE 802.11
NetworkDeviceName WLC
NmapScanCount 1
OUI Apple, Inc.
PhoneID xxxx
PhoneIDType UDID
PolicyVersion 66
PostureApplicable Yes
SelectedAuthorizationProfiles WLAN FULL ACCESS
StaticAssignment true
StaticGroupAssignment false
Total Certainty Factor 10
User-AD-Last-Fetch-Time 1576596258860
User-Fetch-Department DRA
User-Fetch-Email xxxx
User-Fetch-First-Name xxx
User-Fetch-Last-Name xxx
User-Fetch-User-Name xxx
User-Name xxx
host-name xxxx
ip 1.2.3.4
operating-system Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)
operating-system-result Cisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)

 

 

0 Helpful
5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-17-2019 09:04 AM

The default out of the box 'Cisco-Device' policy is setup to perform an OS-scan via the configured NMAP action. The OS-scan performs tcp/udp fingerprinting to determine its results. My suggestion would be to either change the action to NONE to see if that changes your profiled result. Or even better would be to create your own policies with a higher MCF to ensure that your byod devices/corporate apple devices get profiled based on attributes that you wish to profile on.
0 Helpful

ben.posner
Level 1
Level 1
In response to Mike.Cifelli

‎12-17-2019 10:00 AM

okay i can see why it was profiled as such based on the nmap scan result.

so now i'd like to know why the nmapOSscan thinks the iphone is a Nexus OS device. where can i see the results of that scan? and why on earth would it get that kind of result? i mean this is the 10th or 11th iteration of this product and it still isn't profiling things properly. and it's not like this was a brand new phone or something, this is an iphone7.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to ben.posner

‎12-17-2019 10:31 AM

I would suggest taking a look here as it will aide in answering additional questions:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
As I mentioned earlier, I personally prefer building out my own profiles with higher MCF in an attempt to alleviate issues such as the one you have identified.
0 Helpful

andrewswanson
Level 7
Level 7
In response to ben.posner

‎12-17-2019 02:01 PM

Hi

Have a look at bug CSCuz62668 (ISE NMAP probe profiles iPad and iPhone as Cisco-Device).

 

It is listed as fixed but doesn't give a fixed release version.

 

Also, other thread with same issue is below:

https://community.cisco.com/t5/identity-services-engine-ise/ise-device-profiling-nmap-os-detected/m-p/3749177

 

hth

Andy

gerald.scott
Level 1
Level 1
In response to ben.posner

‎12-17-2019 05:40 PM

Per the bug ID that @andrewswanson mentioned, it is recommended to disable the NMAP OS scan for apple devices.  I had to do this in my ISE 2.4 P9 environment for a different issue, and Apple devices on my wireless network still get profiled properly due to the User-Agent attribute being passed.  Unfortunately, the User-Agent is only passed via wireless and not the hard line, but it avoids mis-classification of apple devices caused by NMAP scans.

0 Helpful
Customers Also Viewed These Support Documents