How device type classification works in Aruba controller and how to verify if its working correctly?

By Arunkumar posted Jun 26, 2014 03:48 PM


This article applies to all the controller models and OS version


Device Type Classification:



When you select this option, the controller will parse user-agent strings and attempt to identify the type of device connecting to the AP. When the device type classification is enabled, the Global client table shown in the Monitoring>Network > All WLAN Clients window shows each client’s device type, if that client device can be identified.

Execute the command show user-table IP <IP address of the user> and check the filed "device type"

(ARUBA) #show user-table ip 
Name: host/, IP:, MAC: c0:18:85:3a:50:07, Role: authenticated, ACL: 113/0, Age: 00:05:43 
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-TLS, server: NPSSP- 
Bandwidth = No Limit 
Bandwidth = No Limit 
Role Derivation: default for authentication type 802.1x 
VLAN Derivation: Default VLAN 
Idle timeout (global): 3600 seconds, Age: 00:00:00 
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1 
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0 
IP User termcause: 1 
phy_type: a-HT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14 
Vlan default: 250, Assigned: 250, Current: 250 vlan-how: 1 DP assigned vlan:0 
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0 
SlotPort=0x2100, Port=0x10055 (tunnel 85) 
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a 
Current Role name: authenticated, role-how: 1, L2-role: authenticated, L3-role: authenticated 
Essid: Employee, Bssid: d8:c7:c8:f7:e3:59 AP name/group: SPcomms-room/Stockley-Park-2 Phy-type: a-HT-40 
RadAcct sessionID:n/a 
RadAcct Traffic In 10660/1815578 Out 5207/4667169 (0:10660/0:0:27:46106,0:5207/0:0:71:14113) 
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:Stockley-Park-Employee-Portal, dot1x:Dot1X-NPS-server, mac: CP: def-role:'logon' sip-role:'' via-auth-profile:'' 
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0 
IP Born: 1382434139 (Tue Oct 22 10:28:59 2013) 
Core User Born: 1382434136 (Tue Oct 22 10:28:56 2013) 
Upstream AP ID: 0, Downstream AP ID: 0 
Device Type: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 
L3-Auth Session Timeout from Radius: 0 
Mac-Auth Session Timeout Value from Radius: 0 
Dot1x Session Timeout Value from Radius: 0 
CoA Session Timeout Value from Radius: 0 
Dot1x Session Term-Action Value from Radius: Default 
Reauth-interval from role: 0 
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0 
Address is from DHCP: yes 

(LHRR1-DC-WIFI1) #show user-table | include c0:18:85:3a:50:07 host/ authenticated 00:05:47 802.1x SPcomms-room Wireless Employee/d8:c7:c8:f7:e3:59/a-HT Stockley-Park-Employee-Portal tunnel Win 7 GKAULDHAR-E6420 

Based on the above device string, Aruba controller classifies the device type based on the value (windows NT)

IN the above example, MSIE 9.0 denotes client is using Internet Explorer 9 and Windows NT 6.1 Denotes the OS as Win 7. 

We could also take a packet capture on the client while accessing a site in the browser. Open the packet capture file and check the HTTP packet and verify the UA string. 
rtaImage (2).jpg