Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

This thread has been viewed 1 times

  • 1.  COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    EMPLOYEE
    Posted Apr 23, 2011 09:00 AM
    DHCP Fingerprinting is a means of passively identifying the operating system of a device via option in a DHCP frame. Helpful resources about understanding DHCP fingerprinting is here: http://myweb.cableone.net/xnih/

    Aruba, as of ArubaOS 6.0.1.0 has added the capability of looking at these options in the DHCP frame and change the role of an incoming device accordingly. This provides additional visibility, functionality as well as security for your mobility network.

    One use is to differentiate devices that share the same network. For example, if your wireless phones, as well as your laptops both do 802.1x, instead of creating two separate networks for each, you can write a rule looking for that phone's DHCP option and put it into a role that optimizes VOIP traffic; the laptops will get the default enterprise role. If you have a 802.1x wireless network for your laptops and employees keep connecting to it with their smartphones, you could write a rule that gives smartphone users that connect via AD credentials a different role to keep that traffic separate from employee traffic, but allow them to easily connect to your network without having to type credentials in a tiny captive portal screen time and time again.

    The question is, how do you do it? These instructions assume that you already have a wireless network already up and running. There are ONLY instructions here to ADD DHCP fingerprinting to an existing network. Here is how you do it:

    1 - Ensure that you have ArubaOS 6.0.1.0 or later on running your controller (only supported on the 600 series, 3000 series and M3 controller).
    2 - Configure Network DHCP debugging to see the DHCP options
    3 - Attach the client and observe the options
    4 - Create a role for that client
    5 - Write a user derivation rule referencing that DHCP option and that role
    6 - Attach your user derivation rule to the AAA profile of an existing wireless network.

    The first step should be easy, I hope.

    2.
    To configure DHCP debugging, enter enable mode on your controler and type the following:



    3.
    Make sure that client is not in the user table:




    Attach your client to the network

    Type "show log network all | include Option" on the commandline.  You should see something like below:

    Apr 23 07:01:55 :202536:

    #3600


  • 2.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    Posted Nov 24, 2011 01:24 PM

    Hi,

     

    appologies if this is a dumb question - but, can i create a rule in a similar fashion that prohibits certain devices (i.e., based on this DHCP signature) from accessing the network?

     

    also, i am not sure that this is related or not, and i apologize if not, but if i create an IDS profile with a signature on the controller (e.g., looking for certain packet content), how do i tie that to a policy rule to stop forwarding packets that contain the signature (i assume the signature detection happens on the controller and not the AP). So, is it possible to tie the IDS signature in a rule?

     

    thanks,



  • 3.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    EMPLOYEE
    Posted Nov 24, 2011 01:49 PM

    1.  You can create a role that has a "blockall" firewall policy and write a user derivation rule that looks for a signature and puts those device into that role

     

    2.  Not related; should be in a different post, but...  You can only log the result of a signature match.  You cannot take any action on it.



  • 4.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    MVP
    Posted Nov 25, 2011 06:22 AM

    Anyone else having alot of issues with this dhcp fingerprinting + user derivation rules?

    For a few customers I've configured a user derivation rule that allows ios, android en blackberry devices access to email on the guest-ssid without having to go through the captive portal.

     

    This works fine most of the time but too often the device will get stuck in the captive-portal user-role instead of bypassing this with the user derivation rules we set up. On debugging we can see after a roam the client ends up in the default role for the ssid. Nothing can be seen consernign fingerprinting or user-derivation rules then.



  • 5.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    EMPLOYEE
    Posted Nov 25, 2011 09:42 AM

    Please open a TAC case.  That should not be happening.

     



  • 6.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    Posted Nov 29, 2011 08:56 AM
    @cjoseph wrote:
    2.
    To configure DHCP debugging, enter enable mode on your controler and type the following:

    Missing the following command there.. :)
    logging level debugging network subcat dhcp
    I just used your guide and have got it working perfectly. Thanks.

    Samsung NP-NC10 Netbooks have a DHCP option of 37010f03062c2e2f1f21f92b in case anyone needs it. 

    James


  • 7.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    Posted Dec 07, 2011 01:48 PM

    Just a quick note that Aruba has posted an application note on the public website for DHCP and device fingerprinting:

    http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf



  • 8.  RE: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

    Posted Jun 17, 2012 07:45 AM

    37012103061c333a3b

     

    Enjoy.