Security

Reply
Super Contributor II

Auto detecting Amazon Echo devices

Clearpass thinks the Amazon Echo I've connected to the network is a Kindle. Now I can fix this manually but its a real pain if you;re trying to reastrict the types of device conecting to the psk network and expecting an end user to connect their device.

 

 

I've enabled IF-MAP on the mobility controller and its generating a User Agent string of the form shown below. Any way this is an Amazon Echo unique string ?

Dalvik/2.1.0 (Linux; U; Android 5.1.1; AEORD Build/LVY48F)

Super Contributor II

Re: Auto detecting Amazon Echo devices

o.k. the clearpass definition of an Amazon Echo doesn;t have OUI 4cefco as one of the valid strings to identify an echo

Guru Elite

Re: Auto detecting Amazon Echo devices

AEORD is the model number

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Auto detecting Amazon Echo devices

o.k. so how would I take the existing fingerprint for an Amazon Echo and

a). add an extra OUI as per the device I've got

b). add a check for a uer agent string containing AEORD

 

?

 

 

Guru Elite

Re: Auto detecting Amazon Echo devices

You don't. You'd use it role mapping.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Auto detecting Amazon Echo devices

o.k. thats the user agent string as per the example you had for legacy devices. ok makes sense.

 

Is there an XML  schema for a device fingerprint we can use a template for creating our own custom fingerprints ?

 

Guru Elite

Re: Auto detecting Amazon Echo devices

No, there's not.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Auto detecting Amazon Echo devices

more to the point, if you create a custom fingerproint.... and its wrong, how do you delete a custom fingerprint?

Super Contributor II

Re: Auto detecting Amazon Echo devices

o.k. found how to delete a fingerpring ...but

 

Got an echo that has the following setup as shown by access tracker

I then created a custom fingerprint using

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>
<DeviceFingerprints>
<DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">
<FingerprintRules>
<FingerprintRule match-conditions="ALL">
<RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>
<RuleCondition name="dhcp.option55" operator="contains">
<valueList>1,33,3,6,15,28,51,58,59</valueList>
</RuleCondition>
<RuleCondition name="dhcp.option60" operator="contains">
<valueList>dhcpcd-5.5.6</valueList>
</RuleCondition>
<RuleCondition name="dhcp.options" operator="contains">
<valueList>53,50,57,60,12,55</valueList>
</RuleCondition>
<RuleCondition name="mac" operator="contains">
<valueList>34d270,40b4cd,fca667,8871e5,4cefc0</valueList>
</RuleCondition>
</FingerprintRule>
</FingerprintRules>
</DeviceFingerprint>
</DeviceFingerprints>
</TipsContents>

Deleted the endpoint entry and rebooted the Echo..... and it still comes back as a Kindle, so why doesn't my custom fingerprint kick in first?

A

 

 

MAC VendorAmazon Technologies Inc.
Added byPolicy Manager
StatusKnown
Device CategorySmartDevice
Device OS FamilyAndroid
Device NameKindle
MAC Address4cefc0ae4bb6
IP Address10.241.88.152
Static IPfalse
Hostnameamazon-488bf99be
Profile Conflictfalse
Added DateJul 24, 2018 15:32:59 BST
Updated DateJul 24, 2018 15:32:59 BST
Fingerprint Details -
DHCP Option60["dhcpcd-5.5.6"]
DHCP Options["53,50,57,60,12,55"]
DHCP Option55

["1,33,3,6,15,28,51,58,59"]

Super Contributor II

Re: Auto detecting Amazon Echo devices

Gwtting closer..... If I just have

 

<FingerprintRules>
<FingerprintRule match-conditions="ALL">
<RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>
<RuleCondition name="dhcp.option55" operator="contains">
<valueList>1,33,3,6,15,28,51,58,59</valueList>
</RuleCondition>
<RuleCondition name="dhcp.option60" operator="contains">
<valueList>dhcpcd-5.5.6</valueList>
</RuleCondition>
<RuleCondition name="dhcp.options" operator="contains">
<valueList>53,50,57,60,12,55</valueList>
</RuleCondition>
<RuleCondition name="mac" operator="contains">
<valueList>4cefc0</valueList>
</RuleCondition>
</FingerprintRule>
</FingerprintRules>

 

and only specify 1 OUI then it works! How do I specify multiple OUIs and mean if one of these exisits ....

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: