cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1876
Views
1
Helpful
4
Replies

ISE - VPN profiling with Apple iPhone devices

rchockeelopez
Beginner
Beginner

Hi,

I got an issue with Apple devices such as iPhone and iPADs when connecting through VPN the ISE is not doing profiling with the Apple devices.

With Android is working well. We create a policy for Android devices that connect through AnyConnect VPN for limited access with a DACL.

We are trying to do the same with Apple Devices connecting through VPN.

Hope you can help.

Regards.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

How are you profiling them? What methods are you relying on?

Is it at least profiling as an apple-device?

Are you redirecting to a portal to get the http user agent string for intitial login to help profile them? With ASA we don’t have DHCP or HTTP Sensor we don’t even see the correct MAC Address (that I know of)

Have you opened a tac case to help you debug?

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

How are you profiling them? What methods are you relying on?

Is it at least profiling as an apple-device?

Are you redirecting to a portal to get the http user agent string for intitial login to help profile them? With ASA we don’t have DHCP or HTTP Sensor we don’t even see the correct MAC Address (that I know of)

Have you opened a tac case to help you debug?

hslai
Cisco Employee
Cisco Employee

I would expect the same issue with Android 6 and above due to the newer mobile operating systems are not permitting AnyConnect to access the device's real MAC addresses.

rchockeelopez
Beginner
Beginner

Thanks hslai and Jason.

I found this guide.

https://communities.cisco.com/docs/DOC-68156Profiling in VPN Mobiles not supported.jpg


Doing  some tests today to find out if ISE does not support profiling in Androids and iOS via AnyConnect VPN.


Any other feedback is welcomed.


Thanks.

For Androids it will depend on whether the client connects over mobile wireless or local WiFi.  Depending on Android version, we may be able to capture MAC address for latter.  The attributes are sent from AnyConnect through ASA and communicated to ISE as RADIUS TLVs.  If unable to capture MAC address, then we cannot correlate to specific endpoint in ISE.  We are looking at different methods to correlate endpoints over VPN, but shorter term client type may prevent more detailed profiling.  You can leverage the mdm-tlv attributes sent in the RADIUS request to provide custom access based on OS type (windows, ios, mac os, android).

/Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers