中文讨论区

Reply
Moderator

AOS Fingerprint派生Role配置

1 如何发现设备的Fingerprint

 

AOS版本需要6.0.1.0或以上,在CLI中使用以下命令

 

(Aruba3600) #configure terminal

(Aruba3600) (config) #logging level debugging network subcat dhcp

 

使测试终端完全下线,并再次关联SSID发起DHCP请求

 

aaa user delete mac <mac address of client>

 

show log network all | include Option 可以看到以下信息

 

Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
Apr 23 07:01:55 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
Apr 23 07:15:45 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:1b:63:f0:42:38 reqIP=192.168.1.254 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:01001b63f04238 33:0076a700
Apr 23 07:15:45 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:1b:63:f0:42:38 reqIP=192.168.1.254 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:01001b63f04238 33:0076a700

 

我们需要找的关键字是0c、37、3c、51,在冒号的前两位数字。该测试终端MAC为00:0d:4b:78:9f:07,他的option是以37开头的。当写rule的时候,需要把37和之后的0103060f0c连在一起,并去掉冒号,即370103060f0c。

 

为该测试终端创建user role- Roku

 

config t
user-role Roku
access-list session allowall
exit

 

设定派生Role策略

 

config t
aaa derivation-rules user dhcp-fingerprint-rule (dhcp-fingeprint-rule is whatever you want to name it)
set role condition dhcp-option equals "370103060f0c" set-value Roku
set role condition dhcp-option equals "3c64686370636420342e302e3135" set-value android
exit

 

将该策略关联至aaa profile下

 

config t
aaa profile <my aaa profile>
user-derivation-rules dhcp-fingerprint-rule
exit

 

观察配置结果

 

config t
logging level debug user-debug <mac address of client>
exit

 

show log user-debug all | include <mac address of client>

Apr 22 13:01:58 :522026: <INFO> |authmgr| MAC=00:0d:4b:78:9f:07 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=1
Apr 22 13:01:58 :522004: <DBUG> |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 50, signature 32C0A801F2
Apr 22 13:01:58 :522004: <DBUG> |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 54, signature 36C0A80103
Apr 22 13:01:58 :522004: <DBUG> |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 55, signature 370103060F0C
Apr 22 13:01:58 :522019: <INFO> |authmgr| MAC=00:0d:4b:78:9f:07 IP=0.0.0.0 Derived role 'Roku' from user rules: utype=L2

 

使用show user 可以看到测试终端的角色

 

(3600) # show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
192.168.1.242 00:0d:4b:78:9f:07 Roku 01:01:49 00:0b:86:64:1e:60 Wireless PatchMe/00:1a:1e:50:0d:70/g-HT default-aaa tunnel Roku

User Entries: 1/1

 

查看策略被使用的次数,可以使用以下命令

 

 


(3600) #show aaa derivation-rules user dhcp-fingerprint-rule

User Rule Table
---------------
Priority Attribute Operation Operand Action Value Total Hits New Hits Description
-------- --------- --------- ------- ------ ----- ---------- -------- -----------
1 dhcp-option starts-with 370103060f0c set role Roku 20 0
3 dhcp-option equals 3c64686370636420342e302e3135 set role android 6 0 HTC Thunderbolt

Rule Entries: 2

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: