Web Filtering - Device OS not recognized / device-specific authentication not working

Hello community,

i have a problem with my apple ios devices.

 

As standard we use basic authentication fed by ms active directory groups.

So users usually have to type username and password of their ad-accounts.

 

Now we would like to let our apple ios devices online without authentication because the network where they come from is already secure and the devices have certificates and so on.

 

I wanted to use device-specific authentication and added ios devices with no authentication to the global web filtering lower right part.

Nothing happens and the devices still get their pop-ups.

 

As i understand this function the UTM should be aware what kind of devices tries to establish the connection.

So the device under it´s ip should be seen in the logs as device="4" for iOS-Device.

 

While checking the logs i saw, that all devices are regarded to as device="0" (unknown).

 

Am i missing a function anywhere? Why isn´t the UTM not device aware?

 

Maybe you can help...

 

ThanX

 

Marc

 

PS:

 

SG550

9.510-5

 

 

 

     
  • Hi Marc,

    Did you try different web browsers to test if the log entries changes? Alongside, verify the http log lines for multiple machines to make sure, if the issue affects globally or is it related to specific machine/OS. If that doesn't change the behaviour, restart the http proxy from shell command, /var/mdw/scripts/httpproxy restart

    Thanks,

  • In reply to sachingurung:

    Hello Sachin,

    the problem is multi os wide with different browsers and apps. Every proxy using device is "device="0"" (unknown). If we don't miss another part which might be necessary I will do as suggested and reboot the proxy by shell.

    As we run the UTM clustered and five locations with nearly 5000 people are involved I will do this some night in a few days...

    Thanks for the answer for my request :)

    Greetings

    Marc

  • Hallo Marc and welcome to the UTM Community!

    Please show a picture of the Edit of the Profile for the IOS devices.

    Cheers - Bob

  • I wonder if you may have found a bug.   Have you opened a support case yet?

    I have a small number of cell phones allowed on my network, so I parsed several days of log files to see if I could find them.   So far, I only see entries with device=0.  But I do not yet have a formal test with a specific phone on a known IP browsing a specific website.   I may pursue that in a few days.

    Are you getting a UA string that indicates the phone browser identity was captured?   I have not yet found one, so my results may still be meaningless.

    Running 9.506-2

  • In reply to BAlfson:

    Hi Bob,

    thanks for the help!

    Actually it runs through our "basic" default profile.

    As i understood the manual you have the option to configure device-specific auth via
    two methods.

    Web filtering or web filtering profiles.

    There isn´t a specific Profile regarding the ios devices because they originate of the same network.

    What makes me curios is the fact that no device or browser is recognized as device 1,4,3 or whatever.

    The log shows the right vendor and browser for the devices but doesn´t use this information.

    Greetz Marc

  • In reply to DouglasFoster:

    Hi Douglas,

    "feels" like a bug :)

    DouglasFoster

     

    Are you getting a UA string that indicates the phone browser identity was captured?   I have not yet found one, so my results may still be meaningless.

    Running 9.506-2

     

    Provided a snippet of the log where you can see slightly some windows machines which provide correct os and browser information.

    The i-devices do the same. But they aren´t categorized.

    As i have read the instructions this should be the case all along... :-/

     

    Greez Marc

  • In reply to Marc Schröder:

    ok... now i provided...

  • In reply to Marc Schröder:

    What version of iOS is this device running? Has it been upgraded to iOS 12 recently?

  • In reply to RichBaldry:

    Hello guys,

     

    i have the same issure with the UTM Version 9.506 and IOS 12.1

    How it is with the 9.510 or 9.6?

  • In reply to McWolle:

    Does anyine know how devuce detection works?  I am guessing it parses the useragent text, but support level 1 did not know.

    Also, I established that device data is only captured when device-specific authentication is enabled, but you already have that set.

  • In reply to DouglasFoster:

    Device detection uses a combination of TCP packet signatures and other factors. User-agent is used as a secondary factor where TCP signatures do not provide enough information.

    TCP packet signatures have the advantage of being able to determine very quickly on every connection and work even on encrypted (SSL/TLS/HTTPS) traffic. But User-agent is only visible for HTTP traffic, not HTTPS. Where we are relying on secondary factors that cannot be evaluated on every flow, we rely more heavily on storing/caching device information on a per-IP basis, which can sometimes lead to incorrect assessments persisting.

    A major area where TCP signatures are not distinct enough is with recent versions of Apple's operating systems. User-agent is critical right now for distinguishing between iOS and MacOS.

  • In reply to RichBaldry:

    Thx, RichBaldry for the for the detailed explanation.
    So i activate for Macos and Ios to the same device-specific authentication ;-)