Wireless Access

Reply
Regular Contributor I

Clearpass DHCP Fingerprinting & Defence against Erroneous Leases

Guys,

 

 

Recently I had an incident on our company campus layer whereby leases were being consumed by an unidentified device.

 

The lease was handed out to a very unusual unique identifier.

 

After googling this I found out the unique device ID was infact a hexidecmial represetation of the actual acknowledged dhcp address in ASCII.  Weird eh?

 

Put this into excel and do the typical conversions and then I confirmed absolutely, this to be the precicely the case.

 

I forward all DHCP requests to clearpass for device profiling, I like to know what goes on in our network.

 

I have cant find any record of these dhcp requests in clearpass.  I was really, really, really, really, disappointed about this.

 

Anyone know how I can interrogate the endpoint database more vigorously?

 

Being able to process a DHCP request for a fingerprint (based on a recieved DHCP transactoin and not on a RADIUS message) and send a SNMP action to a switch seems kind of do-able - any one done this and is anyone aware of real life deployments of such a scenario?

 

 

Thanks.

Re: Clearpass DHCP Fingerprinting & Defence against Erroneous Leases

While a bit off topic here, what wired switches do you have and do they support DHCP snooping?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor I

Re: Clearpass DHCP Fingerprinting & Defence against Erroneous Leases

I thought dhcp snooping only protected you from rogue dhcp servers by creating trust boundaries that prevented key responses from being sent back to the requestor. But it did nothing protect you from a requestor who was repeatedly asking for address from a changing Mac address ? Does it do more than that?
Guru Elite

Re: Clearpass DHCP Fingerprinting & Defence against Erroneous Leases

Nik,

 

If you limited only one or two mac addresses to a port on that physical switch, you would protect against that.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: Clearpass DHCP Fingerprinting

Weird I thought dhcp snooping only protected you from rogue dhcp servers by creating trust boundaries that prevented key responses (such as offer and acknowledge) from being sent back to the requestor. But it did not protect you from a requestor who was repeatedly asking for addresses from a spoofed mac? Does it do more than that?

Nicholas Sheridan
EBRD Networks
Desk: +44 (0) 20 7338 6996
Mobile: +44 (0) 7551 126097
Mail: sheridan@ebrd.com

______________________________________________________________
This message may contain privileged information. If you have received this message by mistake, please keep it confidential and return it to the sender.
Although we have taken steps to minimise the risk of transmitting software viruses, the EBRD accepts no liability for any loss or damage caused by computer viruses and would advise you to carry out your own virus checks.
The contents of this e-mail do not necessarily represent the views of the EBRD.
Guru Elite

Re: Clearpass DHCP Fingerprinting

Nik,

 

Let's get back to your first comment....

 

We cannot respond with CPPM to a copy of a DHCP request, with any type of enforcement, no.

 

If you have an Aruba Controller you can enable "prevent-dhcp-exhuastion"  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/firewall.htm

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: