Unable to differentiate between iPad & other apple devices

clark white · ‎02-01-2017

Dears,

I have a condition where i have to match a corporate AD group who will access internet on corporate provided IPAD only ( not even their iphone),

how i can differentiate between ipad and iphone with a specific AD group access.

thanks

Marvin Rhoads · ‎02-01-2017

Are use using profiling in your policies? That allows you to differentiate using multiple attributes, including the Safari User Agent which identifies an iPad as the source device type.

See the following sources for some examples:

https://supportforums.cisco.com/document/128386/profiling-cisco-ise

https://communities.cisco.com/docs/DOC-68156

If you want furhter security, you could issue device certificates to the corporate iPads and check the certificate in your policy.

clark white · ‎02-04-2017

Dear Marvin,

thanks for your reply,

safari user agent can come with iphones also my goal is to restrict ipad on the specific ssid for corporate AD group.

just wanted to make sure, we have an internal CA can we use the internal CA certificates for the ipad to identify as a corporate ipads. this will help us to segregate IPads from iphones and other apple devices.

thanks

Marvin Rhoads · ‎02-04-2017

You can use a variety of attributes in profiling - not just br owner user agent but also things like DHCP discover packets, MAC addresses etc. In my experience ISE dcistinguishes between iPads and iPhones quite reliably.

Certificates are an even more reliable method. They can certainly be used in your policy set to distinguish the device type.