ISE 1.2 Profiling - User Agent attribute incorrect

Hi all,
Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

"Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
The suppression feature will not affect the re-profiling of a device. The suppression only affects the logging on the MnT node. Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event.
You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen. Again, an understanding of how profiles work is not the issue here.
For example say only the RADIUS and HTTP probes are being utilized for an endpoint. There are two endpoints one is a iPad and the other an iPhone. The endpoint attributes that are known about the device are the MAC OUI and the useragent.
Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad. The first common item is that the MAC OUI is identified as apple. This increases the certainty factor by 10. The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone. Both of those conditions would increase the certainty factor by 20 for a total of 30. Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone. Same goes for iPad, but iPad in the useragent.
Like smcbridebpc stated every application that uses HTTP will have a useragent string. The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices. If an application on the device sends a useragent string such as "OCSPD\1.0.2" which is obviously the OCSP Daemon. This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device. Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.
The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend) OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents.
If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.
It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
https://tools.cisco.com/bugsearch/bug/CSCuj45373

Similar Messages

Wlc 7.3 user-agent

Hi,
Where do I report that iDevices are having weird user agent attributes
WLS-AM%20890/2.5.5 CFNetwork/548.1.4 Darwin/11.0.0
seems like this guy went to WLS-AM news site and that's what its coming up with.
I've even had more of these cases
User-Agent $%7BPRODUCT_NAME%7D/1 CFNetwork/548.1.4 Darwin/11.0.0
That's one
An iPone:
User-Agent Fidelity/1.8.3851 CFNetwork/548.1.4 Darwin/11.0.0
An iPhone:
Viber/2.2.1.207 CFNetwork/548.1.4 Darwin/11.0.0
This one looks like is sending wat apps are accessing http protocol or something= it doesn't say iPhone
thank you

Hi,
You will have to open a TAC case with the wireless team in order to have them file a bug for this issue.
Thanks,
Tarik Admani
*Please rate helpful posts*

CSCum97337 - Ise Endpoint Profile is getting degraded based on poorer user agent

I have searched but I can not find out how to do this
Where can I add user-agent strings to an exclusion list ?
regards
Gudmundur

Check permission of account and account is lockout.
Also check below link
http://technet.microsoft.com/en-us/library/hh212922.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali

Ise 1.2 profiling using language of browser as attribute

I was wondering if anyone has any idea whether you can use the language of a device, i.e the browser language setting, to profile a device ? I have tried user-agent string matching, but this doesn't contain the language.
Jan

The administrator can use the language templates to customize the sponsor portal user interface and the guest account notification text. A default English template is available in the Cisco ISE Admin portal. If you want to change the default language presentation of the sponsor portal or the language and text of the guest notifications, you can add new templates. You can customize the print, email, and short message service (SMS) templates and set the information that is printed, emailed, or text-messaged to guests.
Please check the below links which may be helpful for you:
Link-1
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1068319

Incorrect User Agent

When I use my Z10 to go to a website, I get the incorrect User Agent.
I get the following :
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1
I get the same results using my cell network and wifi.
here is the site I am using to test :
http://whatsmyuseragent.com/
the Developer Blog reports that it should return something like :
Mozilla/5.0 (BB10; <Device Model>) AppleWebKit/<WebKit Version> (KHTML, like Gecko) Version/<BB Version #> Mobile Safari/<WebKit Version>
http://devblog.blackberry.com/2012/08/blackberry-10-user-agent-string/
Solved!
Go to Solution.

You have enabled "Desktop mode" in the browser.
To disable it and restore the Z10's own user agent, tap on the overflow menu (three dots, lower right) and go into Settings, then pick the Developer Tools page and turn off Desktop Mode there.
Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!

[svn:bz-trunk] 9714: Bug: BLZ-424 - Incorrect user-agent string for Opera 10 in flex.messaging. client.UserAgentSettings

Revision: 9714
Author:   [email protected]
Date:     2009-08-27 14:20:06 -0700 (Thu, 27 Aug 2009)
Log Message:
Bug: BLZ-424 - Incorrect user-agent string for Opera 10 in flex.messaging.client.UserAgentSettings
QA: Yes
Doc: No
Ticket Links:
    http://bugs.adobe.com/jira/browse/BLZ-424
Modified Paths:
    blazeds/trunk/modules/core/src/flex/messaging/client/UserAgentSettings.java
    blazeds/trunk/resources/config/services-config.xml

Incorrect User Agent String

I am having a compatability problem with Safari as it seems to be sending out the wrong user agent string. It is sending out:
Mozilla/5.0 (000000000; 0; 00000 000 00 0; 00000; 0000000000) 00000000000000 000000000000000p
This may well be some broader Mac OS problem, as I am having the same problem with Firefox and I know the string is correct in firefox as you can check it in about and I also overrode it. I do not have the same problem with IE/firefox in windows under parallels.
Any help/suggestions greatly appreciated.

Hi,
First of all, you could follow this Wiki to verify your account:
How to Verify Your MSDN/TechNet Forums Account So that You Can Post Images and Links
http://social.technet.microsoft.com/wiki/contents/articles/15960.how-to-verify-your-msdntechnet-forums-account-so-that-you-can-post-images-and-links.aspx
it tells me it's edge (5 default)
Give us screenshot to state. Since it only have these option below:
but the webiste keeps telling me I'm in "Internet Explorer 9 Compatibility View" because of the user-agent string.
Please let us know the exact message and website address.
If these website is intranet website, uncheck this setting for test:
Karen Hu
TechNet Community Support

Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
-No certificates are used.
-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
-For now I'm testing it on wired endpoints.
Is there a way to configure ISE to fulfill the listed above requirements?
Any ideas would be appreciated.
Thanks,
Val Rodionov

Everyone who finds reads this article,
I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.
After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies
The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
Best,
Val Rodionov

ISE, WLC Device Profiling

Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
Thanks for any advice/assistance.
Kenny.

Kenny,
For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
thanks,
Tarik Admani
*Please rate helpful posts*

ISE and Android Profiling

G'day All,
I am building a wireless ISE solution that will service laptops (windows and OSX) via posture assessment, and mobile devices such as iphone, ipad and android.
I looking for help with the profiling of the android devices. I am using the profiler radius and HTTP probes, the radius probe appears to be sufficient for the laptops and the iphone/ipads.
HTTP has been introduced for the Androids as the radius probe wasn't receiving the user agent string from all the test android devices, for example a Samsung Galaxy S3 phone would send the user agent string and be profiled correctly, where as a Samsung Note 10.1 tablet wouldn't send the user agent string, so would be profiled as an unknown device.
I was attempting to keep it as seamless as possible for the end user. So I am not using device registrations, supplicant provisioning, etc. Obviously the posture assessment process isn't exactly semless, but once the users have downloaded the NAC client, etc, it is pretty seamless from a user interaction point of view, then on.
From the apple devices and the androids, I have an authorisation policy that says if the device is a profiled iphone/ipad/android, use CWA and guest portal, users login via AD creadentials and accept the AUP and away they go. Some of the androids ignore this policy and then match on the policy for the laptops (posture assessment). Once connected and in posture pending status, the redirection to the NAC agent page fails, but the android is then profiled correctly via the HTTP probe. If I attempt to browse again, I get redirected to the guest portal via CWA as the devices has been profiled as an Android and the user can login, accept the AUP and away they go.
I'd love to hear from people who have implemented android profiling in the production environments, and how you have done it?
I am aware that not using device registrations/supplicant provision, etc isn't exactly validated design, but for the purpose of the Android profiling, it shouldn't be relevant.
I am presently using ise 1.1.3
Huge thanks in advanced guys, any assistance is always greatly appreciated.
Cheers,
JS

I have ran into this scenario also and I shy away from using the http profiling on the wireless device sensor because it causes issues with applications that fail to include the typr of device.
Have you checked the dhcp client identifier? I think the android has an android specific string so you may want to bump up the certaintity factor.
Sent from Cisco Technical Support Android App

Trying to get Firefox to open in User Agent "Internet Explorer"

I run an Internet Cafe and have recently installed Ubuntu 10.04 over Micro$oft.
I HAVE to give customers an alternative to Live Messenger.
I have TokBox setup .. but gives problems now & then.
I need to cover all bases or lose customers.
The only viable alternative I have found is '''EBuddy'''.
Now the problem is .. when I log in using Internet Explorer and I connect to a contact - I can see the start video call "button".
Any other browser and the webcam button does not show.
All of the Firefox & Seamonkey User Agent Switchers I have tried work .. but I cannot expect the customer to know that they need to switch User Agent before they can use the webcam.
I need to Launch either Firefox or Seamonkey (preferably Seamonkey - if the fix is to be a permanent one) in Internet Explorer mode.
A permanent "fix" for Firefox was suggested on the Ubuntu Forum ...
1. Open about:config
2. Right-click, choose "New" > "String"
3. Type "general.useragent.override" (no parentheses) into the "New String Value" dialog box that appears and press "Enter." Type or copy and paste the desired new user agent string into the "Enter String Value" box (in this case "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" )
When you're done, copy that Firefox profile to all of your computers (the .mozilla folder)
I tried this on Seamonkey .. but it did not have the desired effect = no start video call button.
There is a Proxy Tool add on for Seamonkey which can change the user agent and this works. Same thing for Firefox.
But the user agent is back to default on browser re-start.
In an ideal world I would like to create a Launcher on Ubuntu desktop which would open either Firefox or Seamonkey on the E Buddy sign in page and the User Agent would automatically be set to IE8 or 9.

Try to set the user agent via a user.js file.
*http://kb.mozillazine.org/user.js_file
user_pref("general.useragent.override", "<IE user agent>");

The User-Agent "Java/1.5.0_06" is unknown;creating an agent with null agent

Hello,
We're currently on JDeveloper 10.1.3.4.0.4270. We just release a new version of our web app into production. This is an internal web application. application server is weblogic 10. The weblogic log is showing alot of these warning messages. I tried search on this forum and in google but unable to find any information. I really appreciate if anyone has any idea what could be causing these warning. Our users are constantly getting sent back to the login page to to user sessions lost.
<Jun 8, 2010 12:39:20 AM EDT> <Info> <Common> <BEA-000628> <Created "5" resources for pool "venusDS", out of which "5" are available and "0" are unavailable.>
Jun 8, 2010 12:39:20 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:39:20 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:39:21 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:39:21 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:42:21 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:42:21 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Jun 8, 2010 12:42:21 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
1698656.832: [GC [PSYoungGen: 145280K->5811K(187264K)] 418915K->302441K(650112K), 0.1285455 secs]
Jun 8, 2010 12:42:22 AM oracle.adfinternal.view.faces.agent.AgentFactoryImpl _populateNullAgentImpl
WARNING: The User-Agent "Java/1.5.0_06" is unknown; creating an agent with null agent attributes.
Thanks,
Joe

Hi,
user agent is the browser users use. So what is the browser ?
Frank

How to retrieve user defined attributes in Prepopulating a request dataset

Hi,
I have created couple of user defined attributes in user profile.
And I am tryting to develop a prepopulate adapter in a request dataset for a resource. I need to prepopulate request dataset based on the values of above said user defined attributes.
I tried to use tcResultSet result=UserOppsIntf.getSelfProfile(); in my pre-populate adapter but it is giving me only the following attributes and it is not giving any of my user defined attributes.
Users.Manager Key
Users.Manager Login
Users.Manager First Name
Users.Manager Last Name
Users.Password Warning Date
usr_locale
Users.Key
Users.Password Expired
Users.Middle Name
Users.User ID
Users.Password Expiration Date
Users.Status
Users.Password Warned
Users.Email
Telephone Number
Users.Display Name
usr_timezone
Users.Lock User
Users.Last Name
Users.First Name
MEMBERTYPE
If I use the code userData = usrService.getDetails("User Login", RequesterID, null); then I am getting only the following.
Display Name:
act_key:
Full Name:
usr_key:
User Login:
Last Name:
First Name:
Please let me know how to retrieve all of user defined attribute values in prepopulate adapter for a request dataset.

Use below code to get all attributes in user profile including UDF.
OIMInternalClient objOimInternalClient = null;
User user = null;
          UserManager usrService = null;
objOimInternalClient = new OIMInternalClient();
          if (objOimInternalClient != null) {
                    try {
                         objOimInternalClient.loginAsAdmin();
                         usrService = objOimInternalClient
                                   .getService(UserManager.class);
                         user = usrService.getDetails("usr_key", strUserKey, null);
                         endDate = (Date) user.getAttribute("End Date");
                    } catch (Exception e) {
                         e.printStackTrace();
                    } finally {
                         if (objOimInternalClient != null)
                              objOimInternalClient.logout();
                         if (user != null)
                              user = null;
                         if (usrService != null)
                              usrService = null;
In order to see all UDF's in User profile, please create Authorization Policy.

Warning: The User-Agent "null" is unknown; creating an agent with null agen

Hello,
I use adf 10.1.3.3 in our web application. I found the warning (The User-Agent "null" is unknown; creating an agent with null agent attributes.) in the application server OC4J 10.1.3.3, but these don't have a nagativ impact on the applicaiton.
can someone tell me what the warning means?
thanks

Hi,
user agent is the browser users use. So what is the browser ?
Frank

Getting User-Agent through J2ME Client

Hi, i think most of the developers here might have come across this problem.
I have a servlet that will get the client's User-Agent headers value when the client access it. When i access the servlet through a phone browser, the header will give me the phone's user agent. But when i access the same servlet through my J2ME client, the header will return a value of 'UNTRUSTED/1.0' string which doesn't contain any user agent info.
I understand that in JSR implementation the 'UNTRUSTED' string will be appended to the User Agent header, but the original user agent value is not there. Does anyone knows what is the reason behind this?
Thanx.
FooShyn

first:
- do not multipost the same message
second:
- did you put headers on your connection in your application?
- and the only useragent that you can get is the useragent defined in the app...
for example:
try {
      c = (HttpConnection)Connector.open(url);
      c.setRequestMethod(HttpConnection.GET);
      c.setRequestProperty("IF-Modified-Since", "10 Nov 2000 17:29:12 GMT");
      c.setRequestProperty("User-Agent","Profile/MIDP-1.0 Confirguration/CLDC-1.0");
      c.setRequestProperty("Content-Language",      "en-CA");
      os = c.openOutputStream();
...taken from http://developers.sun.com/techtopics/mobility/midp/articles/network/ThirdExample.java

ISE 1.2 Profiling - User Agent attribute incorrect

Similar Messages

Maybe you are looking for