ISE 1.1/WLC 7.2 Wireless MAB and Profiling

jeff.heim · ‎05-18-2012

I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication. My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side. Devices are being correctly profiled on the corp network segment. The key profiling components I need to get a match on iphone is DHCP and HTTP user agent. Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC. The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA. I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.

Can someone point me in the right direction? I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary. My main issue is the profiling probes and getting them working correctly on the guest LAN.

Jimmy Symoens · ‎05-25-2012

Could you check if profiled iDevices are being put in their respective group through the profiling policy?

By default, they are put in the parent group. Make sure you tick the box to create the corresponding endpoint group for those profiles.

jeff.heim · ‎06-16-2012

Yes, we created matching identity groups for all the devices that we wanted profiling policies for. The issue was with getting profiling like DHCP, DNS, HTTP user agent, etc to work without authentication. We settled for NMAP scan to get the results we desired.

Arthur Burger · ‎06-14-2012

Did you ever get this resolved? I need to accomplish the same thing.

Alex

jeff.heim · ‎06-16-2012

What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple. So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice. This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.

We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type. In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.

Hope that helps.

jwmolenaar · ‎06-16-2012

Please taka a look at release of 7.2.110. New profiling options are available on "Advanced" tab of wifi proile.

Hope that helps

jeff.heim · ‎06-16-2012

We are running 7.2.103.0 at the moment. I will take a look at 7.2.110.0. Thanks.

Ricardo Duarte · ‎06-23-2012

It's quite unfortunate that WLC does not send DHCP option 55 on the profiling interim accounting messages.

edondurguti · ‎08-21-2012

Jeff,

Could you post a screenshot of that rule for iDevices?

so basically you can tell if its an iphone without dhcp/http rule?

Thanks