This document describes how to resolve the Unknown device issue with Apple devices. Some of the newer Apple iDevices may be profiled as Unknown by Identity Services Engine (ISE) due to the absence of an Organizationally Unique Identifier (OUI) in the ISE database. This article addresses one method to make these devices profile correctly in your ISE deployment.
There are no specific requirements for this document.
Cisco ISE Release 1.1.x
Apple iOS devices
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
When some Apple iOS devices connect to an ISE deployment, they may be profiled as 'Unknown', which prevents the application of Policies related to Apple iDevices from being applied.
The problem originates from newly manufactured Apple devices which use OUIs that are not yet present in the ISE database.
In order to resolve the Unknown device issue with Apple devices, it is necessary to add the OUI manually to the Apple Profiling Policy. This allows the certainty factor to increase to the minimum required level, and therefore place the device in the correct endpoint group.
In the ISE administration GUI, choose Policy > Profiling > Profiling Policies, and choose the Apple-Device parent policy from the left hand pane. Child policies (Apple-iPad, Apple-iPhone, and so on) do not affect the profiling outcome when you use the conditions as defined out of the box. The OUI must be added on this screen.
In the Profiler Policy for Apple-Device, add a new rule with an "If" condition using a New Condition (Advance Option). Choose the MAC category, and then choose the MACAddress variable. Set the rule to CONTAINS, and in the text field enter in the OUI for the device. Lastly, set the certainty factor to increase by 10 in order to meet the default settings for the Apple Device Policy. This example displays an OUI for iPad Minis.
Save the changes. Now you should see the endpoints correctly profiled as Apple iDevices.