Using DHCP fingerprinting, how do I send most iPhones to one role, but send a few iPhones to another role?

Aruba Employee

Introduction : DHCP allows a client to get an IP address from DHCP server. But these DHCP packets contain different values that can be used to fingerprint the OS. The Aruba controller can use these values to detect the OS that the client machine is using, which allows you to put them in different roles according to the detected OS.

For DHCP fingerprinting to work, the VAP must be in tunnel mode.

DHCP fingerprinting is done in User Derivative roles in AAA profile.  DHCP fingerprinting puts all the devices in the same configured role.

You might want all iPhones to fall in one particular role, but you want the iPhone of the CEO to fall in a special role where all access is allowed.

 

Environment : This article applies to all Aruba controllers and Aruba OS 6.1.x and above.

 

Configuration Steps :

  1. Enable debugging for DHCP on the controller to see the option for DHCP.


#configure t
# logging level debugging network process dhcpd subcat dhcp




  1. Create an open SSID and connect the iPhone to it. See that it has taken the logon role.


# show user

Users
---------

IP             MAC                  Role
-----------    -----------------    -----------------
10.1.1.250     28:e0:2c:5e:eb:bd    logon




  1. See the debug and note the value. This value is common for all iPhones and allows you to put the users in a preconfigured role.


# show log network 5 | include 28:e0:2c:5e:eb:bd 

See the output for the DHCP debug here. Select the signature to identify only iPhones.
 

  1. Make a rule that puts all iPhones in one role.

    #config t
    # aaa derivation-rules user udr-try
    #set role condition dhcp-option equals 370103060F77FC set-value iphone-role

     

 

  1. Issue the ‘aaa user delete all’ command and try again.

    # aaa user delete all
     

 

  1. When you connect the user, see that the iPhones fall in the correct role.


    # show user

    Users
    ---------

    IP             MAC                  Role
    -----------    -----------------    -----------------
    10.1.1.250     28:e0:2c:5e:eb:bd    iphone-role              
    10.1.1.249     68:09:27:eb:fa:c1    iphone-role


     
  2. Configure the hostname in the iPhone.
     

a) Tap the Settings icon on the iPhone.

User-added image




b) Go to General under Settings.

User-added image


c) Tap Name.

User-added image




d) Change the name to a secret hostname.

User-added image



  1. Connect the iPhone to the network and take its debug.

See that the debug output has changed. Use the changed signature to identify the new device.


  1. Make another UDR role based on the changed DHCP value.

    # config t
    # aaa derivation-rules
    # set role condition dhcp-option equals 0c5269617a set value spl-role position 1


     
  2. Connect the two phones, one with the hostname and the other without the hostname.

See that one gets the iPhone role and the other gets the spl-role.

# show user

Users
---------

IP                    MAC                  Role
-----------          -----------------    -----------------
10.1.1.250            28:e0:2c:5e:eb:bd    spl-role  
            
10.1.1.249                68:09:27:eb:fa:c1    iphone-role

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 04:46 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: