Security

Reply
Contributor II
Posts: 64
Registered: ‎09-17-2011

Can you define Policy based on device type without Clearpass?

Hi there,

With AOS6.x we have been advised that we can now identify the user device - such as an ipad vs iphone, vs droid for example.

However we have been told that it is not possible to use this information to set an access policy on the controller or firewall to (for example) - only allow ipads to connect to an internal VLAN.

 

Initial discussions with reseller indicates that this can only be done with Clearpass.

 

Is this correct? If so - what advantage does being able to identify the device as an ipad provide in AOS6.x

Cheers

Wally

Regular Contributor II
Posts: 220
Registered: ‎10-09-2009

Re: Can you define Policy based on device type without Clearpass?

I would like to know this as well. Thanks for posting the question.

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Can you define Policy based on device type without Clearpass?

You can set a User Derivation Rule (UDR) under Authentication > User Rules.  That UDR can then be applied to your AAA profile.

 

 A UDR can match the DHCP fingerprint of a device and set a VLAN (for an iPad, set the DHCP option to 55/0x37 equals 370103060F77FC).  

 

You can find other DHCP fingerprints by searching for "fingerprint" on Airheads.

 

What you have been told, I think, is that you can't use the browser string detection of the OS (which is what you see when you do "show user") to enforce policies, since the client is already on the network once you see an http packet.

 

Does that help?

Aruba Employee
Posts: 1
Registered: ‎11-19-2011

Re: Can you define Policy based on device type without Clearpass?

Hi @Wally,

 

At this moment we can accomplish fingerprinting in 2 ways: DHCP-based or HTTP user-agent field. The appnote on how they can be configured is here: http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

 

Deriving roles can only be done via DHCP-based approach. I have listed a table below for common signatures using various DHCP option fields to expand on what @olino explained. 

 

DHCP options could be classified as

  • device specific (i.e. a MAC address, hostname)
  • OS specific (i.e. Windows XP or iPhone/iPad)
  • unknown and not useful (i.e. requested IP address)

Common options and categorisation

Option Name Value (dec) Value (hex) Category Comment

Client Identifier613dDevice specificMAC address of client, android seems to never send this
Host Name120cDevice specific/OS SpecificOften this is device specific
Vendor Class Identifier603cOS Specific
Requested Parameter List5537OS Specific

The two items above in red are the most useful. Vendor class becomes useful for dealing with
Android devices especially, since they tend to exhibit different option 55 signatures model to model
and manufacturer to manufacturer.

Common OS/Devices - option 55 signatures

OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

Android 2.x55/0x37starts-with37017921030partial match, seen in Android 2.x (HTC,SGS), may varyjgoff
Android 2.355/0x37equals3701792103061c333a3bSamsung Galaxy S with Android 2.3ChangHan
Blackberry55/0x37equals370103060Funknown model of Blackberryjgoff
iPhone/iPad55/0x37equals370103060F77FCCommon to most Apple i-devicesjgoff
Macbook55/0x37equals370103060F775FFC2C2E2FApple Mac Book (assumed OS X)jgoff
Maemo OS55/0x37equals370103060c0f111c28292aNokia N900 running Maemo OSkmohammed
Nintendo DS55/0x37equals37010306 jgoff
Playstation 355/0x37equals3701031c060f jgoff
Symbian OS55/0x37equals370C060F01031C78Nokia N97 / SonyEricssonjgoff/dnie
Win Mobile 6.x55/0x37equals370103060f2c2e2fSeen on HTC phones with Win Mobile 6.xdnie
Win XP55/0x37equals37010f03062c2e2f1f21f92bexact match on WinXPChangHan
Win Vista55/0x37equals37010f03062c2ef1f2179f92bexact match on VistaChangHan
Win 7 (korean)55/0x37equals37010f03062c2ef1f2179f92bexact match on Win7 (korean edition)ChangHan
Win 7 (eng)55/0x37equals37010f03062c2ef1f2179f92bexact match on Win7ChangHan
Win (Multiple)55/0x37starts-with37010F03062C2E2F1Generic multi-version "windows"jgoff

Common OS/Devices - option 60 signatures

OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

Android 2.x (multiple)60/0x3cstarts-with3c6468637063642034partial match on “dhcpcd 4” – caution: may match some linuxjgoff
BlackBerry60/0x3cequals3c426c61636b4265727279match 'BlackBerry' optionjgoff
Maemo OS60/0x3cstarts-with3c756468637020302e392e39partial match on "udhcpd 0.9.9", used in Nokia N900 Phoneskmohammed
Windows CE60/0x3cequals3c4d6963726f736f66742057696e646f777320434500match "Microsoft Windows CE" - this may match MANY devicesdnie
Windows (Multiple)60/0x3cequals3c4D53465420352E30match multiple windows versions with “MSFT 5.0”jgoff

Not so common or to-be-(re)verified

OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

Cisco 175055/0x37equals3701060F2C0321962Bcisco 1750 VPNjgoff
Linux generic55/0x37starts-with37011C02030F0677Debian/Linux 2.6 genericjgoff
Linux (unknown)55/0x37equals37011C02030F06770C2C2F1A792AtbdChangHan
Linux Debian 2.6.3555/0x37equals37011c02030f06770c2c2f1aBacktrack 4 R2 dhclientjgoff
Palm PDA55/0x37equals37011C02030F060Cunknown model of Palmjgoff
Samsung s800055/0x37starts-with370102030405060708090C0D0F1011171A1C2A2C3233353638 jgoff
Win CE Casio Scanner55/0x37equals370103060F2C2E2Funknown model of Casio scannerjgoff
Win CE Symbol Scanner55/0x37equals370103060F2C2E2F4243unknown model of Symbol scannerjgoff



Search Airheads
Showing results for 
Search instead for 
Did you mean: