Security, WIDS/WIPS and Aruba ECS

Reply

How do we identify Ipads?

This is a fantastic feature that I'm very excited about. It would be extreamely powerful to be able to demo this to a customer however the configuration appears to be overly complicated and it doesn't scale.

I'd like to use this feature to ensure that all iPad were assigned a role that restricted their network access so they can only access the internet however I do not want to have to go through the above proceedure every time another iPad is put on the network.

Our controller is on 6.1.0.0 it is able to see what OS is running on each device connected when looking at "Controller > Clients"

Is it not possible to use role-derivation on the device type that they are already recognised as?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee

Re: How do we identify Ipads?

James - the setup above will identify all iPads (unless the DHCP fingerprint changes, which is unlikely). You won't have to do it for each new iPad, only each new device type (RIM, Android, etc).

Re: How do we identify Ipads?

Ah ok. Thanks for that. I've tried it on our controller and I'm not convinced that it's working as it should. Will double check tomorrow and post results.

Can anyone confirm that this feature is working in 6.1.0.0?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee

Re: How do we identify Ipads?

Yes, the feature works in 6.1.0.0 (assuming the configuration is correct... :))

Please post more details about your config and we can help. Also, you can always open a support case and have them spend more 1-on-1 time with you.
Occasional Contributor II

Re: How do we identify Ipads?

This already works in 6.0.1.2 with no configuration changes necessary. some examples of devices i've seen identified in my "clients" list under monitoring is Roku, iPad, iPhone, iPod, Wii, PlayStation3, AppleTV, Windows (i've seen all flavours of windows broken down to vista, 7 xp etc). The only thing I haven't seen show up in clients which i know exist on my networks are xbox's. I think they're showing up as XP or Vista.

Jesse
Guru Elite

Re: How do we identify Ipads?


Ah ok. Thanks for that. I've tried it on our controller and I'm not convinced that it's working as it should. Will double check tomorrow and post results.

Can anyone confirm that this feature is working in 6.1.0.0?




There are two different things here:

1. OS Detection in for devices in the user table (taken from the device's user agent in their browser)
2. DHCP fingerprinting which allows you to change the role of a device.

The first component is on by default and displays the OS based on the user agent seen when a device does a transaction over port 80 (mostly browsers, sometimes other applications). It is a read-only component and you cannot use it to influence anything about a client. It just displays what OS it assumes the client is based on the browser agent. it is very easy to associate a client, open a browser and see the operating system in the user table. No intervention from the administrator is required

The second component is reading the DHCP option coming from a device and changing its role. This component requires that the administrator know or find out the DHCP signature he is looking for. When he finds that out, he can change the role of an already authenticated 802.1x client by simply writing a user role and associating it to an already EXISTING aaa profile. In other words, if you already have 802.1x setup for wireless, to change the role of a device that is an ipad, you would do this:

config t
aaa derivation-rules user change-role-of-ios-device
set role condition dhcp-option equals "370103060F77FC" set-value Apple-IPAD

aaa profile dot1x-profile
user-derivation rules change-role-of-ios-device

That is it!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: How do we identify Ipads?




I asked them first and they sent me the link to this forum post!

I've got it working now for our iPads so thanks for your help. :)

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: