Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1864
Views
0
Helpful
8
Replies

Profile Mac vs iPhone etc?

Go to solution
Dustin Anderson
VIP
VIP

‎06-02-2016 02:00 PM - edited ‎03-10-2019 11:50 PM

Greetings,

I am testing ISE2.0.1, but I'm having an issue that all devices profile as Apple-Devices. I put all the sub categories of Apple-Devices as their own category, and disabled Apple-Devices. This causes them to come on as unknown devices. It seems like they only get profiled by the OUI.

The issue here is iPhones and pads are managed by Mobile Iron, but MacBooks will be managed by Casper, so I need separate rules to check.

I also loaded AnyConnect on a MacBook and still only get Apple-Device.

Any suggestions to look into would be greatly appreciated.

Thanks,

Dustin

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
alberx
Level 1
Level 1
In response to Dustin Anderson

‎06-06-2016 08:24 AM

Majority of the devices using the wireless are private, and I can not force them to install anyconnect.

It would be a good soluction if the wireless were used by only corporate devices.

I´m reading about exception authorization policies, but I don´t know how to use it to force a bettter detection fo devices.

Thanks.

View solution in original post

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to alberx

‎06-24-2016 05:54 AM

I was able to get this working.

Go to Admin-->Settings-->Profiling and make sure CoA is set to Reauth.

Make sure your policies are very specific to device type, either by Logical Profile for Profiled Policy.

At the end create a catch all rule for "apple Devices" with an auth profile to only allow DHCP,DNS I also used a quarantine vlan.  This will allow ISE to profile the device further.  When the device gets an updated profile  as Apple-MacBook ISE will issue a CoA to the devices and it will now hit the policy that you have for MacBook.

Hope that makes sense :)

View solution in original post

0 Helpful
8 Replies 8

Go to solution
alberx
Level 1
Level 1

‎06-03-2016 12:42 AM

Do you have feed profiler updated?

Administration > FeedService > Profiler

It hepls to detect devices correctly.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to alberx

‎06-03-2016 06:14 AM

Yes, I do have the profiler updating and is current. It seems like the ISE is getting no info from Apple products, so is only profiling by the MAC address.

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to Dustin Anderson

‎06-04-2016 05:36 PM

From what I've seen all Apple devices originally get profiled as an Apple device. Once they gain access then they get re profiled as the proper name. iPad,iPhone Mac book etc. 

The issue that I have is that I want policies based on endpoint profile and they fail authorization. 

Im going to lab maybe just above the deny rule that all devices that authenticate successfully get put into a quarantine, get the proper profile and issue COA. 

0 Helpful

Go to solution
alberx
Level 1
Level 1
In response to michaellperrin

‎06-06-2016 01:18 AM

Agree, I have also noticed that devices are not profiled correctly first time the get access to the network.

I´m also facing problems with MAC OS_X devices and policies I have created based on profiling arre not working correctly.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to alberx

‎06-06-2016 07:54 AM

Have you tried using Anyconnect? I';m wondering if that would help on the Mac's at least.

0 Helpful

Go to solution
alberx
Level 1
Level 1
In response to Dustin Anderson

‎06-06-2016 08:24 AM

Majority of the devices using the wireless are private, and I can not force them to install anyconnect.

It would be a good soluction if the wireless were used by only corporate devices.

I´m reading about exception authorization policies, but I don´t know how to use it to force a bettter detection fo devices.

Thanks.

0 Helpful

Go to solution
michaellperrin
Level 1
Level 1
In response to alberx

‎06-24-2016 05:54 AM

I was able to get this working.

Go to Admin-->Settings-->Profiling and make sure CoA is set to Reauth.

Make sure your policies are very specific to device type, either by Logical Profile for Profiled Policy.

At the end create a catch all rule for "apple Devices" with an auth profile to only allow DHCP,DNS I also used a quarantine vlan.  This will allow ISE to profile the device further.  When the device gets an updated profile  as Apple-MacBook ISE will issue a CoA to the devices and it will now hit the policy that you have for MacBook.

Hope that makes sense :)

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎06-06-2016 07:52 AM

Anyone tried Anyconnect on a Macbook? We use EAP chaining for PC's to authenticate before a user logs in, anyone use Anyconnect on a Mac to get better info? I can handle the phones joining as Apple-Device so long as I can get the Mac's to show differently for rules.

This is the last thing we need to figure out before ordering or they may not go with ISE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents