cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1964
Views
0
Helpful
2
Replies

ISE and Android Profiling

James Smith
Level 1
Level 1

G'day All,

I am building a wireless ISE solution that will service laptops (windows and OSX) via posture assessment, and mobile devices such as iphone, ipad and android.

I looking for help with the profiling of the android devices. I am using the profiler radius and HTTP probes, the radius probe appears to be sufficient for the laptops and the iphone/ipads.

HTTP has been introduced for the Androids as the radius probe wasn't receiving the user agent string from all the test android devices, for example a Samsung Galaxy S3 phone would send the user agent string and be profiled correctly, where as a Samsung Note 10.1 tablet wouldn't send the user agent string, so would be profiled as an unknown device.

I was attempting to keep it as seamless as possible for the end user. So I am not using device registrations, supplicant provisioning, etc. Obviously the posture assessment process isn't exactly semless, but once the users have downloaded the NAC client, etc, it is pretty seamless from a user interaction point of view, then on.

From the apple devices and the androids, I have an authorisation policy that says if the device is a profiled iphone/ipad/android, use CWA  and guest portal, users login via AD creadentials and accept the AUP and away they go. Some of the androids ignore this policy and then match on the policy for the laptops (posture assessment). Once connected and in posture pending status, the redirection to the NAC agent page fails, but the android is then profiled correctly via the HTTP probe. If I attempt to browse again, I get redirected to the guest portal via CWA as the devices has been profiled as an Android and the user can login, accept the AUP and away they go.

I'd love to hear from people who have implemented android profiling in the production environments, and how you have done it?

I am aware that not using device registrations/supplicant provision, etc isn't exactly validated design, but for the purpose of the Android profiling, it shouldn't be relevant.

I am presently using ise 1.1.3

Huge thanks in advanced guys, any assistance is always greatly appreciated.

Cheers,

JS

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

I have ran into this scenario also and I shy away from using the http profiling on the wireless device sensor because it causes issues with applications that fail to include the typr of device.

Have you checked the dhcp client identifier? I think the android has an android specific string so you may want to bump up the certaintity factor.


Sent from Cisco Technical Support Android App

mbilgrav
Level 3
Level 3

You should consider ISE 1.2 SP4
Mine just did andriod-samsung om the new Galaxy s4 mini ...

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: