Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1888
Views
0
Helpful
5
Replies

ISE not profiling Iphone via VPN using ACIDEX

berossig
Cisco Employee
Cisco Employee

‎03-02-2020 12:10 PM

Hi,

i am facing challenge to profile iPhone when they connect via VPN (Anyconnect 4.8, ASA 9.12, ISE 2.6 patch 3).

i tried to create custom rules in order to profile iPhone when they connect but no luck so far.

I created a new Profiling Rule in ISE where I am looking for it as follow:

A screenshot of a cell phone Description automatically generated

Where the Condition matahc the mdm-tlv=device-platform=apple-ios and device-type “contains” iPhone as follow:

A close up of a device Description automatically generated

When I authenticate, I can see I am receiving the proper avPair during authentication:

A screenshot of a social media post Description automatically generated

 

I also checked my DAP policy on ASA, validated that it works and everything looks good except….. ISE is still not profiling the endpoint properly:

A screenshot of a cell phone Description automatically generatedAny idea

 

0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎03-02-2020 01:24 PM

Hi,

 

    Once authenticated, look at the endpoint in ISE database, and see what data do you have for it. First of all, see if the MAC address shows up, for some mobile devices, AnyConnect fails to pick up the MAC address and send it towards the ASA, which will send it towards ISE). Next, to get a good chance to profile it, you would need to additionally use the following and maybe tweak the profile settings:

       - assign IP addresses via DHCP so that ISE can get the hostname and DHCP client-identifier

       - run the user through a portal to grab the HTTP user agent

       - integrate your devices with MDM and have ISE read the data from there for better profiling

 

Regards,

Cristian Matei.

0 Helpful

berossig
Cisco Employee
Cisco Employee
In response to Cristian Matei

‎03-04-2020 04:52 AM

Thanks Christian,

MDM is not an option, nor the portal. i tried DHCP, but still nothing.

the Mac address of the iPhone is not passed by anyconnect due to the fact that iOS devices refuse any API calls to get the Mac address. but since i see the ACIDEX info such as 'device-platform' and 'device-type', i was hoping the profiling rule i created would catch it.

these are the AvPair once authenticated and authorized via VPN:

mdm-tlv=device-type=iPhone11,2,
mdm-tlv=device-phone-id=unknown,
mdm-tlv=device-platform=apple-ios,
mdm-tlv=device-platform-version=13.3.1,
mdm-tlv=device-uid=00008020-00166d121e02002e,
mdm-tlv=device-uid-global=00008020-00166d121e02002e,
mdm-tlv=ac-user-agent=AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.8.02046,

 

Any idea?

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to berossig

‎03-04-2020 06:31 AM

Hi,

 

     Yes, create your own custom profile by matching on those values and it should work.

 

Regards,

Cristian Matei.

0 Helpful

berossig
Cisco Employee
Cisco Employee
In response to Cristian Matei

‎03-04-2020 07:09 AM

Hi Cristian,

i did create the custom rule but no luck unfortunately. device is still not profiled, not even as apple-device.

i am running out of idea this is why i was hoping someone within the community was successful in profiling an Iphone via VPN.

thanks for the quick reply.


Regards,

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to berossig

‎03-05-2020 11:00 AM

Hi,

 

    I took a closer look to the values you get from the ASA via RADIUS. Without the MAC address being encoded, there is no profiling. You could still use those attributes as conditions in your authorization profile though.

   We wanted privacy, there you go, we received it, apps can no longer "read" the MAC address of the iOS device.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents