Wireless Access

Reply
Occasional Contributor II

can i use dhcp finger print to isolate devices in a specific VLAN

we are trying to move all the androids and the iphones in a specific VLAN where. Is this possible using dhcp finger print?

 

Adrian 

Aruba

Re: can i use dhcp finger print to isolate devices in a specific VLAN

Edited; see Colin's response below:

 

No, this is not possible as the fingerprinting takes place after the device is requesting a DHCP address (thus already assigned to a VLAN).   

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite

Re: can i use dhcp finger print to isolate devices in a specific VLAN

This works as of ArubaOS 6.2 and above with open and encrypted SSIDs:

dhcp.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: can i use dhcp finger print to isolate devices in a specific VLAN

any other opinions? If this is possible will you please add the required steps for setting it up?

 

thanks

Guru Elite

Re: can i use dhcp finger print to isolate devices in a specific VLAN


adrian.lupea@dc-uoit.ca wrote:

any other opinions? If this is possible will you please add the required steps for setting it up?

 

thanks


The screenshot is from the 6.2 release notes.  The DHCP fingerprinting app note is here:  http://www.arubanetworks.com/wp-content/uploads/AOS-DHCP-FingerPrint-AppNote.pdf?repo=tech



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: can i use dhcp finger print to isolate devices in a specific VLAN

1) Set up the UDR under Security > Authentication > User Rules

 

mc-udr-1.PNG

 

 

2) Apply the UDR to the AAA profile

 

mc-udr-2.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: can i use dhcp finger print to isolate devices in a specific VLAN

Thank you all for the reply. Tim I have doen these steps but I ma not sure what to do next. maybe I should provide more info. We have a M3k with over 400 105 AP and 30 VLANs in a even pool. we have probably over 50% of the devices connected iphones and androids. We have issues with DHCP scopes being full and even managing the lease time  down to 30 minutes will crate a such a big difference between user, IPs in the controller VLAN and IPs in the DHCP server ( external) like 2500/3000/5500. The DHCP requests/renewal trigger DNS updates also and that is something we will try to avoid by moving all the iphones and androids in a differnet pool where we can mamage the DHCP scope t o not provide DNS pointers at all. We need the DNS for LAN Desk. Now if I will fingerprint the androids as an examle how I will manage to assign them to a different VLAN pool?

 

Tim how do you manage this without clearpass?

 

Adrian

Guru Elite

Re: can i use dhcp finger print to isolate devices in a specific VLAN

You can assign a single VLAN or a VLAN pool in the UDR.

 

After you have applied the UDR to the AAA profile, the configuration is complete.

 

Since you are using DHCP options instead of profiling data, ClearPass is not required for this situation.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

Thanks Tim. It still doesn't work. I can see the devices being assigned to different VLANs. Anything that needs to be done in the DHCP server?

Guru Elite

Re: can I use dhcp finger print to isolate devices in a specific VLAN

What type of authentication are you using on the SSID?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: