Wireless Access

Reply
Frequent Contributor I
Posts: 70
Registered: ‎01-03-2013

ArubaOS DHCP Fingerprinting

Hi,

 

Hope you are all good.

 

 

I want to configure "ArubaOS DHCP Fingerprinting". Please confirm if this feature has been implemented and fully tested for major OSes around? Are the results good enough to be implementable for very large network/environment?

 

Second, can someone please confirm, when successfully configured, does the client device get IP from DHCP when applied role/policy deny any kind of network services for a particular OS? Will the IP remain occupied by the client even if its denied for all services?

 

Scenario: We don't want iOS and android devices of any sort using our wireless network and consume IP adresses.

 

 

Any suggestion/help would be appreciated :)

 

Thanks.

Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: ArubaOS DHCP Fingerprinting

There is an ArubaOS DHCP Fingerprinting Validated Reference Design on the page here:  http://www.arubanetworks.com/resources/reference-design-guides/ 

 

It will answer all of your questions.

 

With regards to "We don't want iOS and android devices of any sort using our wireless network and consume IP adresses", what devices DO you want on your network?  If you only want domain devices you should probably "Enforce Machine Authentication".  DHCP fingerprinting is an inefficient way to keep android and IOS devices off of a domain network.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 70
Registered: ‎01-03-2013

Re: ArubaOS DHCP Fingerprinting

Thanks for the quick response :)

 

 

Yes i have gone through the relevant VRD but unable to find the answers.

 

In our network, we only allow Windows, Macs and Linux based devices authenticated through WPA2-PSK and not 802.1x/domain authentication. These machines (based on Windows, Macs and Linux) could be their personal or corporate devices. But no iOS and Android devices should use the network services on the same SSID even if the WPA2 key got compromised.

 

I know there are more secure methods available than WPA2-PSK but consider it as requirement of a network.

 

Can you please suggest me anything now? 

Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: ArubaOS DHCP Fingerprinting

Your ability to allow or stop devices from getting onto your network is dictated by the authentication method you choose. No matter what we implement you will have the following issues:

- Eventually the WPA2 key will get compromised
- DHCP fingerprinting will not work for devices that choose a static IP address.
- Personal devices, no matter the operating system consume the same amount of IP addresses.
- It is impossible to change the preshared key overnight, so you are stuck with everyone sharing the same key possibly for years. How do you stop people from getting into your network when everyone has the key to the front door?
- In Windows 7 the key can easily be revealed by others.

Long story short:

You should select a security protocol to meet your needs instead of trying to make an insecure method meet your security needs.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 70
Registered: ‎01-03-2013

Re: ArubaOS DHCP Fingerprinting

I do understand the risks involved in implementing WPA2 as authentication method. But my point was to just learn that the IP lease time for non-allowed OSes. For example, if all deny policy is created in a role and assign that role to an incoming request from one of the non-allowed OSes, how long that device will keep the IP that it got from DHCP?

 

Thanks.

Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: ArubaOS DHCP Fingerprinting

[ Edited ]

A device will consume a dhcp address address before it is fingerprinted so It will not do what you want it to do.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 70
Registered: ‎01-03-2013

Re: ArubaOS DHCP Fingerprinting

Thanks for your suggestions :)

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: ArubaOS DHCP Fingerprinting

You'd want to use ClearPass with MAC authentication to acheive what you are trying to do.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 204
Registered: ‎09-28-2010

Re: ArubaOS DHCP Fingerprinting

 

Just thinking here.....

 

Could you create a second "dummy" SSID for the iOS and Android devices, then use DHCP fingerprinting to force them to that network?  You'd still need to have a DHCP scope set up, but you could populate that with bogus info, then firewall that entire network into a deny access role.

 

Sorry, I'm not yet a version of code that supports DHCP fingerprinting, but it is something I'll be looking at very soon.  Over half of the devices on my corporate network are iOS and Android devices.  I've expanded my DHCP scope as far as I can, and dropped my leases down to 4 hours.  Seems to be okay now.

 

Funny, I've never created any documentation on how to connect those iOS and Android devices.  If only Windows made it as easy as those devices to connect, install the certificate, and store the username and password!

Frequent Contributor I
Posts: 68
Registered: ‎12-14-2012

Re: ArubaOS DHCP Fingerprinting

There seems to be a basic knowledge disconnect here - This is Basic NET+ stuff.

 

1. the lease time is controlled by the DHCP server - it is a setup on the scope.  The client will keep the IP address until it expires or is disconnected from the network.

 

SO to make what you want to happen work do this:

 

1. Set up a dummy VLAN with no DHCP scope

2. Set up a No_Access Role  (policy one rule - Any Any Any Deny)

 

so in the controller for VLAN and ROLE assignment  DHCP fingerprinting is done through the "USER RULES" in the AAA profile.

 

When there are DHCP rules in the user rules it will capture the DHCP request - read the options and determine what role and what VLAN to assign - Just assign the NO-Access ROLE and the Dummy VLAN

 

The user will get blocked and get no IP so they will self assign.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: