cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1889
Views
0
Helpful
5
Replies

ISE not profiling Iphone via VPN using ACIDEX

berossig
Cisco Employee
Cisco Employee

Hi,

i am facing challenge to profile iPhone when they connect via VPN (Anyconnect 4.8, ASA 9.12, ISE 2.6 patch 3).

i tried to create custom rules in order to profile iPhone when they connect but no luck so far.

I created a new Profiling Rule in ISE where I am looking for it as follow:

A screenshot of a cell phone

Description automatically generated

Where the Condition matahc the mdm-tlv=device-platform=apple-ios and device-type “contains” iPhone as follow:

A close up of a device

Description automatically generated

When I authenticate, I can see I am receiving the proper avPair during authentication:

A screenshot of a social media post

Description automatically generated

 

I also checked my DAP policy on ASA, validated that it works and everything looks good except….. ISE is still not profiling the endpoint properly:

A screenshot of a cell phone

Description automatically generatedAny idea

 

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Once authenticated, look at the endpoint in ISE database, and see what data do you have for it. First of all, see if the MAC address shows up, for some mobile devices, AnyConnect fails to pick up the MAC address and send it towards the ASA, which will send it towards ISE). Next, to get a good chance to profile it, you would need to additionally use the following and maybe tweak the profile settings:

       - assign IP addresses via DHCP so that ISE can get the hostname and DHCP client-identifier

       - run the user through a portal to grab the HTTP user agent

       - integrate your devices with MDM and have ISE read the data from there for better profiling

 

Regards,

Cristian Matei.

Thanks Christian,

MDM is not an option, nor the portal. i tried DHCP, but still nothing.

the Mac address of the iPhone is not passed by anyconnect due to the fact that iOS devices refuse any API calls to get the Mac address. but since i see the ACIDEX info such as 'device-platform' and 'device-type', i was hoping the profiling rule i created would catch it.

these are the AvPair once authenticated and authorized via VPN:

mdm-tlv=device-type=iPhone11,2,
mdm-tlv=device-phone-id=unknown,
mdm-tlv=device-platform=apple-ios,
mdm-tlv=device-platform-version=13.3.1,
mdm-tlv=device-uid=00008020-00166d121e02002e,
mdm-tlv=device-uid-global=00008020-00166d121e02002e,
mdm-tlv=ac-user-agent=AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.8.02046,

 

Any idea?

 

Hi,

 

     Yes, create your own custom profile by matching on those values and it should work.

 

Regards,

Cristian Matei.

Hi Cristian,

i did create the custom rule but no luck unfortunately. device is still not profiled, not even as apple-device.

i am running out of idea this is why i was hoping someone within the community was successful in profiling an Iphone via VPN.

thanks for the quick reply.


Regards,

Hi,

 

    I took a closer look to the values you get from the ASA via RADIUS. Without the MAC address being encoded, there is no profiling. You could still use those attributes as conditions in your authorization profile though.

   We wanted privacy, there you go, we received it, apps can no longer "read" the MAC address of the iOS device.

 

Regards,

Cristian Matei.