Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE deny access to Android devices

I have a customer who likes to deny access to any Android devices on its guest service. (The network has an anchor WLC, the authentication is set as LWA)

First I tried setting a simple AuthZ rule indicating "if Device-OS equals Android, then Deny Access"

Also tried setting a profiled group. Any device belonging to this Android devices group must be denied.

It appears the results were not consistent enough. On my first tests, a Galaxy smartphone was not allowed to pass after the AUP, but after some tries the user got access.

I think something may be missing in the config, as it appears the ISE is not recognizing the Device-OS. Any device is added to the profiled group.

Some idea to troubleshoot and fix this requirement?

Regards


 

5 REPLIES
Cisco Employee

What do you have configured

What do you have configured under "Administration > System > Settings > Profiling?" You should have CoA enabled and set to "Re-Auth"

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

Thank you, I would check on

Thank you, I would check on site next week. I'm tihinking to validate and test with profiling settings at both ISE and WLC.

Regards.

Cisco Employee

Sounds good. And good idea to

Sounds good. And good idea to check the profiling settings in the WLC. Keep us posted on the testing results.  

Thank you for rating helpful posts!
New Member

I did a quick test enabling

I did a quick test enabling DHCP profiling on WLAN in the WLC. I couldn't did extensive tests because the DHCP appears to not working, so I needed to back. I don't understand why enabling this option affects the DHCP functionality ...

Unfortunately I can't do extensive tests on productive network, so I would need to be sure about which parameters to change.

In lab (not the same environment to test) I have seen the ISE is able to identify a Galaxy smartphone as Samsung Device (by RADIUS probe), I guess by the OUI Endpoint, and some minutes later as Android (by DHCP probe) ... So, I wonder if it is possible to define a priority or preference over which probe apply first ...

In the ISE Endpoint details I found this

User-Agent      Mozilla/5.0 (Linux; U; Android 2.3.6; es-us; GT-I9070 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

I guess here is where the ISE learns from the device is an Android, right?

 

Regards ...

Cisco Employee

How about my original

How about my original question:

What do you have configured under "Administration > System > Settings > Profiling?" You should have CoA enabled and set to "Re-Auth"

Also:

- What version of code are you running on the WLC?

- All information from all of the probes is collected and evaluated at the same time. There isn't a probe setting to make one more preferred than the other. Instead, profiling rules with higher certainty factor are preferred against rules with lower certainty level.

- In the WLC, what do you have for DHCP settings both under the WLAN interface and under the "controller" tab for the DHCP proxy

 

Thank you for rating helpful posts!
176
Views
0
Helpful
5
Replies
CreatePlease to create content