Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication.  My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side.  Devices are being correctly profiled on the corp network segment.  The key profiling components I need to get a match on iphone is DHCP and HTTP user agent.  Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC.  The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA.  I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.

Can someone point me in the right direction?  I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary.  My main issue is the profiling probes and getting them working correctly on the guest LAN.

8 REPLIES
New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

Could you check if profiled iDevices are being put in their respective group through the profiling policy?

By default, they are put in the parent group. Make sure you tick the box to create the corresponding endpoint group for those profiles.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

Yes, we created matching identity groups for all the devices that we wanted profiling policies for.  The issue was with getting profiling like DHCP, DNS, HTTP user agent, etc to work without authentication.  We settled for NMAP scan to get the results we desired.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

Did you ever get this resolved? I need to accomplish the same thing.

Alex
New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple.  So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice.  This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.

We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type.  In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.

Hope that helps.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

Please taka a look at release of 7.2.110. New profiling options are available on "Advanced" tab of wifi proile.

Hope that helps

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

We are running 7.2.103.0 at the moment.  I will take a look at 7.2.110.0.  Thanks.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

It's quite unfortunate that WLC does not send DHCP option 55 on the profiling interim accounting messages.

New Member

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

Jeff,

Could you post a screenshot of that rule for iDevices?

so basically you can tell if its an iphone without dhcp/http rule?

Thanks

5949
Views
0
Helpful
8
Replies
CreatePlease login to create content