Wireless Access

Reply
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

DHCP Fingerprinting is a means of passively identifying the operating system of a device via option in a DHCP frame. Helpful resources about understanding DHCP fingerprinting is here: http://myweb.cableone.net/xnih/

Aruba, as of ArubaOS 6.0.1.0 has added the capability of looking at these options in the DHCP frame and change the role of an incoming device accordingly. This provides additional visibility, functionality as well as security for your mobility network.

One use is to differentiate devices that share the same network. For example, if your wireless phones, as well as your laptops both do 802.1x, instead of creating two separate networks for each, you can write a rule looking for that phone's DHCP option and put it into a role that optimizes VOIP traffic; the laptops will get the default enterprise role. If you have a 802.1x wireless network for your laptops and employees keep connecting to it with their smartphones, you could write a rule that gives smartphone users that connect via AD credentials a different role to keep that traffic separate from employee traffic, but allow them to easily connect to your network without having to type credentials in a tiny captive portal screen time and time again.

The question is, how do you do it? These instructions assume that you already have a wireless network already up and running. There are ONLY instructions here to ADD DHCP fingerprinting to an existing network. Here is how you do it:

1 - Ensure that you have ArubaOS 6.0.1.0 or later on running your controller (only supported on the 600 series, 3000 series and M3 controller).
2 - Configure Network DHCP debugging to see the DHCP options
3 - Attach the client and observe the options
4 - Create a role for that client
5 - Write a user derivation rule referencing that DHCP option and that role
6 - Attach your user derivation rule to the AAA profile of an existing wireless network.

The first step should be easy, I hope.

2.
To configure DHCP debugging, enter enable mode on your controler and type the following:



3.
Make sure that client is not in the user table:




Attach your client to the network

Type "show log network all | include Option" on the commandline. You should see something like below:

Apr 23 07:01:55 :202536:   |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
Apr 23 07:01:55 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:0d:4b:78:9f:07 reqIP=192.168.1.242 Options 36:c0a80103 37:0103060f0c 0c:4e502d4b3041304458303236373936
Apr 23 07:15:45 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:1b:63:f0:42:38 reqIP=192.168.1.254 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:01001b63f04238 33:0076a700
Apr 23 07:15:45 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:1b:63:f0:42:38 reqIP=192.168.1.254 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:01001b63f04238 33:0076a700

To write the rule, you are looking for an option that has a 0c, 37, 3c or 51 before the colon. The number you are concerned with are the two digits BEFORE the colon and the numerals after it. in the output above, my Roku box has the mac address of 00:0d:4b:78:9f:07. On that line it has an option that begins with 37, so that is what I am going to use. When the rule is written, I will put the 37 together with the 0103060f0c following the colon and I get a string of 370103060f0c. We will write the user rule right after we create the role for my Roku.

4.
To create a role for my Roku box, I do nothing fancy, I just create a role and add the allowall firewall policy to it, just to see if my rule was matched:

config t
user-role Roku
access-list session allowall
exit



5.
After that, I write a user derivation rule that references my string above and changes the role to Roku. ( I will also add a rule for my Android device that I know the fingerprint for already):

config t
aaa derivation-rules user dhcp-fingerprint-rule (dhcp-fingeprint-rule is whatever you want to name it)
set role condition dhcp-option equals "370103060f0c" set-value Roku
set role condition dhcp-option equals "3c64686370636420342e302e3135" set-value android
exit


6.
Next, I attach the user derivation rule to the corresponding AAA profile of my existing wireless network:

config t
aaa profile
user-derivation-rules dhcp-fingerprint-rule
exit

To monitor what is happening with my client, I turn on user-level debugging for him:

config t
logging level debug user-debug
exit

I attach my client and show the debug to see if he is being placed in the right role:

show log user-debug all | include 

Apr 22 13:01:58 :522026: |authmgr| MAC=00:0d:4b:78:9f:07 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=1
Apr 22 13:01:58 :522004: |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 50, signature 32C0A801F2
Apr 22 13:01:58 :522004: |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 54, signature 36C0A80103
Apr 22 13:01:58 :522004: |authmgr| MAC 00:0d:4b:78:9f:07, dhcp option 55, signature 370103060F0C
Apr 22 13:01:58 :522019: |authmgr| MAC=00:0d:4b:78:9f:07 IP=0.0.0.0 Derived role 'Roku' from user rules: utype=L2

As you can see, it changed the device to the role of Roku, because of our rules and because it matched that option 55

When I type "show user" it should be in the Roku role:

(3600) #        show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
192.168.1.242 00:0d:4b:78:9f:07 Roku 01:01:49 00:0b:86:64:1e:60 Wireless PatchMe/00:1a:1e:50:0d:70/g-HT default-aaa tunnel Roku

User Entries: 1/1


To see how many times my rule was triggered, I can type "show aaa derivation-rules user ":

(3600) #show aaa derivation-rules user dhcp-fingerprint-rule

User Rule Table
---------------
Priority Attribute Operation Operand Action Value Total Hits New Hits Description
-------- --------- --------- ------- ------ ----- ---------- -------- -----------
1 dhcp-option starts-with 370103060f0c set role Roku 20 0
3 dhcp-option equals 3c64686370636420342e302e3135 set role android 6 0 HTC Thunderbolt

Rule Entries: 2


As you can see I got 20 hits from the Roku rule. You can run this command over and over to see how many devices are classified.

Some rules that were written for common devices are as follows:

aaa derivation-rules user MobileDevice
set role condition dhcp-option equals "0C576969" set-value nintendo-wii
set role condition dhcp-option equals "3701032A0406070C0F1A2C33363A3BBE" set-value lexmark-x4580
set role condition dhcp-option equals "370103060F77FC" set-value Apple-IPAD
set role condition dhcp-option equals "3C64686370636420342E302E3135" set-value Android
set role condition dhcp-option starts-with "0c616E64726F69645F" set-value Android
set role condition dhcp-option equals "3C426C61636B4265727279" set-value BlackBerry
set role condition dhcp-option equals "370103060f775ffc2c2e2f" set-value apple-mac


Posted some other DHCP Fingerprint Signatures here: http://airheads.arubanetworks.com/vBulletin/showpost.php?p=12629&postcount=2


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎11-20-2011

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

Hi,

 

appologies if this is a dumb question - but, can i create a rule in a similar fashion that prohibits certain devices (i.e., based on this DHCP signature) from accessing the network?

 

also, i am not sure that this is related or not, and i apologize if not, but if i create an IDS profile with a signature on the controller (e.g., looking for certain packet content), how do i tie that to a policy rule to stop forwarding packets that contain the signature (i assume the signature detection happens on the controller and not the AP). So, is it possible to tie the IDS signature in a rule?

 

thanks,

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

1.  You can create a role that has a "blockall" firewall policy and write a user derivation rule that looks for a signature and puts those device into that role

 

2.  Not related; should be in a different post, but...  You can only log the result of a signature match.  You cannot take any action on it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 757
Registered: ‎03-25-2009

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

Anyone else having alot of issues with this dhcp fingerprinting + user derivation rules?

For a few customers I've configured a user derivation rule that allows ios, android en blackberry devices access to email on the guest-ssid without having to go through the captive portal.

 

This works fine most of the time but too often the device will get stuck in the captive-portal user-role instead of bypassing this with the user derivation rules we set up. On debugging we can see after a roam the client ends up in the default role for the ssid. Nothing can be seen consernign fingerprinting or user-derivation rules then.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

Please open a TAC case.  That should not be happening.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 952
Registered: ‎04-13-2009

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)


cjoseph wrote:
2.
To configure DHCP debugging, enter enable mode on your controler and type the following:

Missing the following command there.. :)
logging level debugging network subcat dhcp
I just used your guide and have got it working perfectly. Thanks.

Samsung NP-NC10 Netbooks have a DHCP option of 37010f03062c2e2f1f21f92b in case anyone needs it. 

James
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Moderator
Posts: 16
Registered: ‎04-21-2009

Re: COTD: DHCP Fingerprinting how-to (ArubaOS 6.0.1.0 and above)

Just a quick note that Aruba has posted an application note on the public website for DHCP and device fingerprinting:

http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

Sr. Director Business Operations, Aruba Networks
MVP
Posts: 1,403
Registered: ‎05-28-2008

Android 4.0.X DHCP FINGERPRINT

[ Edited ]

37012103061c333a3b

 

Enjoy.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: