With organizations encouraging corporate users to bring their own device to work; IT staff faces the challenge of differentiating between the devices. Aruba Instant’s Mobile Device Access Control can differentiate devices based on:
a) DHCP Fingerprintingb) EAP Type
This guide provides background information on DHCP fingerprinting and walks through the configuration, troubleshooting steps.
DHCP is a 4-step client – server exchange through which the client obtains an I.P. address and other network parameters such as gateway I.P. address, DNS server from the Server. Below diagram is an overview of client-server transaction.
Along with the actual request; the DHCP messages carry “DHCP Options” – a set of configuration parameters and other control information. These options can be used to uniquely identify a device type / OS type.
Below is an example of DHCP Options from a Windows 7 client’s DHCP Discover.
As it can be seen in above example; all the DHCP Options are of the format:: [Option][Length][Value] where option is the Hex value of the Option number. Example :: Option 61 would be 3D in Hex.
Aruba Instant’s DHCP fingerprinting uses only the Option & Value. Example:: DHCP Fingerprint for Option 61 would be 3D010022FA5F66D6 (See above screenshot).
The DHCP Fingerprinting is based on inspecting the DHCP options of DHCP Discover & Request i.e. client initiated DHCP traffic.
Below is the list of DHCP options which can be used for role derivation. It should be noted that::· Not all devices send all options. Example :: Apple Devices don’t send Option 60· Option 12 is configurable by end-user i.e. less reliable.
The following software and hardware are used in this document to illustrate the concept and configuration steps.
Test Network Setup::
Role assignment via DHCP-Option is available under Access tab of SSID configuration. Below is an example screenshot. If a client doesn’t match any of the rules; it would be assigned the Default role (In this example; Fingerprint)
The role assignment can be validated by checking the Clients tab of the User Interface. In the below example; the first two clients have matched a rule and been assigned corresponding rule (Win7 & MLion). The third didn’t match any rule and was assigned the default role.
Below is a table which includes fingerprints for major operating systems.
String Value for Windows 10
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.