Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1673
Views
0
Helpful
5
Replies

ISE deny access to Android devices

descalante2007
Level 1
Level 1

‎07-08-2014 10:41 AM - edited ‎03-10-2019 09:51 PM

I have a customer who likes to deny access to any Android devices on its guest service. (The network has an anchor WLC, the authentication is set as LWA)

First I tried setting a simple AuthZ rule indicating "if Device-OS equals Android, then Deny Access"

Also tried setting a profiled group. Any device belonging to this Android devices group must be denied.

It appears the results were not consistent enough. On my first tests, a Galaxy smartphone was not allowed to pass after the AUP, but after some tries the user got access.

I think something may be missing in the config, as it appears the ISE is not recognizing the Device-OS. Any device is added to the profiled group.

Some idea to troubleshoot and fix this requirement?

Regards


 

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎07-08-2014 02:17 PM

What do you have configured under "Administration > System > Settings > Profiling?" You should have CoA enabled and set to "Re-Auth"

 

Thank you for rating helpful posts! 

0 Helpful

descalante2007
Level 1
Level 1
In response to nspasov

‎07-09-2014 10:20 AM

Thank you, I would check on site next week. I'm tihinking to validate and test with profiling settings at both ISE and WLC.

Regards.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to descalante2007

‎07-09-2014 10:53 AM

Sounds good. And good idea to check the profiling settings in the WLC. Keep us posted on the testing results.  

0 Helpful

descalante2007
Level 1
Level 1

‎07-17-2014 04:17 PM

I did a quick test enabling DHCP profiling on WLAN in the WLC. I couldn't did extensive tests because the DHCP appears to not working, so I needed to back. I don't understand why enabling this option affects the DHCP functionality ...

Unfortunately I can't do extensive tests on productive network, so I would need to be sure about which parameters to change.

In lab (not the same environment to test) I have seen the ISE is able to identify a Galaxy smartphone as Samsung Device (by RADIUS probe), I guess by the OUI Endpoint, and some minutes later as Android (by DHCP probe) ... So, I wonder if it is possible to define a priority or preference over which probe apply first ...

In the ISE Endpoint details I found this

User-Agent      Mozilla/5.0 (Linux; U; Android 2.3.6; es-us; GT-I9070 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

I guess here is where the ISE learns from the device is an Android, right?

 

Regards ...

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to descalante2007

‎07-17-2014 05:32 PM

How about my original question:

What do you have configured under "Administration > System > Settings > Profiling?" You should have CoA enabled and set to "Re-Auth"

Also:

- What version of code are you running on the WLC?

- All information from all of the probes is collected and evaluated at the same time. There isn't a probe setting to make one more preferred than the other. Instead, profiling rules with higher certainty factor are preferred against rules with lower certainty level.

- In the WLC, what do you have for DHCP settings both under the WLAN interface and under the "controller" tab for the DHCP proxy

 

0 Helpful
Customers Also Viewed These Support Documents