Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2391
Views
5
Helpful
2
Replies

ISE Profile iOS/Android devices using only RADIUS probe?

Go to solution
jacob.fredriksson
Level 1
Level 1

‎08-30-2017 11:21 AM - edited ‎02-21-2020 10:33 AM

Hello!

 

I am running ISE 2.2 and I'm trying to create some AuthZ rules where the OS on the connecting device is to play a part. I am wondering if it is possible to somewhat decently profile iOS and Android devices when they are connecting using 802.1x (PEAP). I am having trouble hitting some of the built-in rules for Apple devices/Android devices which I think is due to lack of information about the host. 

 

Is there enough data in the packets during the EAP-process for ISE to determine that it is an iOS or Android device connecting to the network? Since I am neither using a web portal and since DHCP takes place after actual authentication, I am having trouble profiling new devices on the network when PEAP is used. I have no trouble profiling devices when those two other probes are used, since there is so much information to get from them (browser user-agents, dhcp packets and so on).

 

I've been looking at some of the documentation for the RADIUS probe in ISE and I can't find anything in there that could help me profile the devices as they log on. The only relevant piece of information I can see being fed into ISE is the MAC-address/OUI of the device, but it's probably not enough for ISE to make an educated guess.

 

Anyone got any good ideas how to make this happen? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zalkurdi
Cisco Employee
Cisco Employee

‎08-30-2017 06:59 PM

Hello Jacob,

 

At the moment, the only way to profile an endpoint as an Apple iOS device or as an Android device is to utilize the user agent in the HTTP packet or the host name attribute in the DHCP packet. If you open the pre-built profiling policy, you will see that those are the conditions to match those profiles. 

 

Radius alone does not have the necessary information to profile the device on such a deep level.

 

In your case, if you do not use any portals, you will have to wait for the DHCP packet to reach ISE to make the decision. ISE can not profile the device on the fly during the actual authentication, it needs time to gather information and make a decision about the kind of endpoint.

 

In your case, you can create a general Authz rule to allow limited access for an unknown endpoint. Once ISE receives the DHCP packets and profiles the device, it can send a CoA to reauthenticate the device and match the rule you already have.

 

Hope this helps.

 

Cheers,

Zaid Kurdi

 

 

View solution in original post

2 Replies 2

Go to solution
zalkurdi
Cisco Employee
Cisco Employee

‎08-30-2017 06:59 PM

Hello Jacob,

 

At the moment, the only way to profile an endpoint as an Apple iOS device or as an Android device is to utilize the user agent in the HTTP packet or the host name attribute in the DHCP packet. If you open the pre-built profiling policy, you will see that those are the conditions to match those profiles. 

 

Radius alone does not have the necessary information to profile the device on such a deep level.

 

In your case, if you do not use any portals, you will have to wait for the DHCP packet to reach ISE to make the decision. ISE can not profile the device on the fly during the actual authentication, it needs time to gather information and make a decision about the kind of endpoint.

 

In your case, you can create a general Authz rule to allow limited access for an unknown endpoint. Once ISE receives the DHCP packets and profiles the device, it can send a CoA to reauthenticate the device and match the rule you already have.

 

Hope this helps.

 

Cheers,

Zaid Kurdi

 

 

Go to solution
jacob.fredriksson
Level 1
Level 1
In response to zalkurdi

‎09-01-2017 11:33 AM

Thanks for the info, Zaid! I will see if I can get something useful running based on what you said.
0 Helpful
Customers Also Viewed These Support Documents