Higher Education

last person joined: yesterday 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

Windows XP

  • 1.  Windows XP

    Posted Mar 21, 2014 02:53 PM

    Hello

     

    I would like a suggestion on how to identify windows xp on wireless using the controllers without clearpass and assigning them a new vlan. Should i be able to accomplish this with fingerprinting on the controller?

     

    Thank you

    Nils



  • 2.  RE: Windows XP

    Posted Mar 21, 2014 02:57 PM

    Yes.  Start with Chapter 2:  http://www.arubanetworks.com/vrd/AOSDHCPFPAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

     

    You will need ArubaOS 6.2 and above to switch VLANs successfully.

     



  • 3.  RE: Windows XP

    Posted Mar 21, 2014 03:12 PM

    Thank you

     

    I am running 6.1.3.10 but reading the doc it should work on this code.



  • 4.  RE: Windows XP

    Posted Mar 21, 2014 04:33 PM
      |   view attached

    nislau03,

     

    If you are using no encryption and want to put a Windows XP device into a different VLAN, your current code will work.  If you are using any type of encryption, there was a bug where you could not change VLANs with DHCP fingerprinting if the device is using encryption.  That is bug#61935  and it is fixed in ArubaOS 6.2.  In the release notes attached.

     

     

    dhcp-finger.png

     

    Using a user derivation rule to change the role or VLAN of a device is different from what is shown in Airwave or even the controller.  The device that is shown in Airwave or in the controller is populated via the browser agent that the device uses.  Using DHCP fingerprinting to put a device into a different VLAN or role using the DHCP fingerprint.  The DHCP fingerprinting Validated Reference Design is here: http://www.arubanetworks.com/vrd/AOSDHCPFPAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

    Attachment(s)



  • 5.  RE: Windows XP

    Posted Mar 24, 2014 04:03 PM

    Thank you for tip about the bug save me hours of troubleshooting.

     

     



  • 6.  RE: Windows XP

    Posted Mar 26, 2014 06:28 PM

    Taking this a bit further is there a way, even if you are using ecryption, to have the UDR redirect the user to a web page that would say something like "sorry your device is Win XP and that is no longer allowed on our network"? Can mswitch be used somehow?

     

    Great timely info!

     

    Mike



  • 7.  RE: Windows XP

    Posted Apr 01, 2014 09:27 AM

    There is option to include a captive portal profile to the role derivated. I havent tested to see if it will redirect the user to a captiver portal.

     

     



  • 8.  RE: Windows XP

    Posted Apr 01, 2014 09:42 AM

    I am having an issue with the role assignment.

     

    I configured the user role derivation for windows xp machine to assign a role.

    in the role i assigned the vlan

     

    however the user is getting the right role windows xp but the vlan is not changing. Any suggestions?
     

    I am running code 6.1.3.10

    AP 105

    Controller M3

     

     



  • 9.  RE: Windows XP

    Posted Apr 01, 2014 09:53 AM

    I see the user getting the role

     

    (HPD-LOCAL1) #show log user-debug 30 | include c8:d7:19:0f:2d:ea
    Apr 1 08:45:10 :522006:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User entry added: reason=Sibtye
    Apr 1 08:45:10 :522270:  <DBUG> |authmgr|  During User miss marking the user c8:d7:19:0f:2d:ea with ingress 0x1be6, connection-type 2 as wireless, muxtunnel = no
    Apr 1 08:45:10 :522049:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User role updated, existing Role=NSU_WindowsXP/NSU_WindowsXP, new Role=NSU_WindowsXP/NSU_WindowsXP, reason=user role from UDR
    Apr 1 08:45:10 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing
    Apr 1 08:45:10 :522026:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User miss: ingress=0x1be6, VLAN=1250
    Apr 1 08:45:10 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing
    Apr 1 08:45:10 :522026:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User miss: ingress=0x1be6, VLAN=1250
    Apr 1 08:45:10 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing



  • 10.  RE: Windows XP

    Posted Apr 01, 2014 10:24 AM

    can you post the output of

     

    show user mac c8:d7:19:0f:2d:ea

    Is this a dot1x authentication?  Typically, the vlan specified in the role only takes effect if a L2 authentication method is used.  The exception to that is if you apply a dhcp fingerprint rule which will happen after the initial authentication.  I have used that before for a dot1x ssid, but not for an open ssid.  From the CLI guide.

     

    user-role-vlan.jpg

     

    Yes, if you put a captive portal profile in there, you can redirect those users to a page.



  • 11.  RE: Windows XP

    Posted Apr 01, 2014 10:29 AM

    I am testing on open sside with no authen or encryption.

     

    (HPD-LOCAL1) #show user mac c8:d7:19:0f:2d:ea

    Datapath Session Table Entries
    ------------------------------

    Flags: F - fast age, S - src NAT, N - dest NAT
           D - deny, R - redirect, Y - no syn
           H - high prio, P - set prio, T - set ToS
           C - client, M - mirror, V - VOIP
           Q - Real-Time Quality analysis
           I - Deep inspect, U - Locally destined
           E - Media Deep Inspect, G - media signal
           u - User Index

      Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
    --------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----



    Name: , IP: 137.52.250.90, MAC: c8:d7:19:0f:2d:ea, Role:CPall, ACL:106/0, Age: 00:00:10
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: Matched user rule
    VLAN Derivation: unknown
    Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
    Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
    Auth fails: 0, phy_type: a-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 1
    Vlan default: 1250, Assigned: 0, Current: 1250 vlan-how: 0 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
    Tunnel=0, SlotPort=0x1041, Port=0x1a10 (tunnel 2448)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
        Current Role name: CPall, role-how: 3, L2-role: CPall, L3-role: CPall
    Essid: NLT, Bssid: d8:c7:c8:18:ca:fb AP name/group: N-Test_105/test Phy-type: a-HT
    RadAcct sessionID:n/a
    RadAcct Traffic In 10/1163 Out 2/598 (0:10/0:0:0:1163,0:2/0:0:0:598)
    Timers: ping_reply 0, spoof reply 0, reauth 0, mac reauth 0
    Profiles AAA:OPEN_AAA, dot1x:Apple_802.1X, mac: CP:Guest-Amigopod_CP def-role:'CPall' sip-role:'' via-auth-profile:''
    ncfg flags udr 1, mac 0, dot1x 1, RADIUS interim accounting 0
    IP Born: 1396361854 (Tue Apr  1 09:17:34 2014)
    Core User Born: 1396361850 (Tue Apr  1 09:17:30 2014)
    Upstream AP ID: 0, Downstream AP ID: 0
    Device Type: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
    Mac-Auth Session Timeout Value from Radius: 0


    Flags: W: WMM client, A: Active, K: 802.11K client, B: Band Steerable

    PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
                 <n>ss: <n> spatial streams

    Association Table
    -----------------
    Name        bssid              mac                auth  assoc  aid  l-int  essid  vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags
    ----        -----              ---                ----  -----  ---  -----  -----  -------  ---------  ---             -----------  ---------  -----
    N-Test_105  d8:c7:c8:18:ca:fb  c8:d7:19:0f:2d:ea  y     y      2    3      NLT    1250     0x1a10     a-HT-40sgi-2ss  10m:41s      1          WA

    c8:d7:19:0f:2d:ea-d8:c7:c8:18:ca:fb Stats
    ------------------------------------------
    Parameter                            Value
    ---------                            -----
    Channel                              40
    Channel Frame Retry Rate(%)          12
    Channel Frame Low Speed Rate(%)      0
    Channel Frame Non Unicast Rate(%)    42
    Channel Frame Fragmentation Rate(%)  48
    Channel Frame Error Rate(%)          0
    Channel Bandwidth Rate(kbps)         32
    Channel Noise                        91
    Client Frame Retry Rate(%)           0
    Client Frame Low Speed Rate(%)       0
    Client Frame Non Unicast Rate(%)     0
    Client Frame Fragmentation Rate(%)   0
    Client Frame Receive Error Rate(%)   0
    Client Bandwidth Rate(kbps)          0
    Client Tx Packets                    569
    Client Rx Packets                    29
    Client Tx Bytes                      11392
    Client Rx Bytes                      5223
    Client SNR                           29



  • 12.  RE: Windows XP

    Posted Apr 01, 2014 10:45 AM

    Try this.  I've not tested, but it may work.

     

    In your derivation rule, make it as such (change the values to suite if I have them wrong)

     

    (aruba-lab) (config) #show aaa derivation-rules user NSU_XP_Rule
    
    User Rule Table
    ---------------
    Priority  Attribute    Operation  Operand/Group             Action    Value          Total Hits  New Hits  Description
    --------  ---------    ---------  -------------             ------    -----          ----------  --------  -----------
    1         essid        equals     NLT                       set role  NSU            0           0         NSU_Default-nonXP
    2         dhcp-option  equals     37010f03062c2e2f1f21f92b  set role  NSU_WindowsXP  0           0         NSU_defaul_XP

     To my mind this should work, since the devices will do first do a auth based on the essid and then your fingerprint rule will kick in.

     

    Let us know if that works.



  • 13.  RE: Windows XP

    Posted Apr 01, 2014 11:03 AM

    I tried chaning the derivation rules but the rules are match from top to bottom so the xp machines are matching the first rule essid = NLT and getting NSU role instead of the windows xp role.  I changed the order and once again the xp machines get the role but no the vlan.

     

    Users
    -----
        IP              MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name     Roaming   Essid/Bssid/Phy             Profile   Forward mode  Type
    ----------     ------------       ------    ----           ----------  ----  --------  -------     -------   ---------------             -------   ------------  ----
    137.52.250.90  c8:d7:19:0f:2d:ea            NSU_WindowsXP  00:00:02                    N-Test_105  Wireless  NLT/d8:c7:c8:18:ca:fb/a-HT  OPEN_AAA  tunnel        Win XP



  • 14.  RE: Windows XP

    Posted Apr 01, 2014 11:05 AM

    (HPD-LOCAL1) #show log user-debug 30 | include c8:d7:19:0f:2d:ea
    Apr 1 10:00:24 :522004:  <DBUG> |authmgr|  MAC c8:d7:19:0f:2d:ea, dhcp option 81, signature 510000007870746573742E
    Apr 1 10:00:24 :522004:  <DBUG> |authmgr|  MAC c8:d7:19:0f:2d:ea, dhcp option 60, signature 3C4D53465420352E30
    Apr 1 10:00:24 :522004:  <DBUG> |authmgr|  MAC c8:d7:19:0f:2d:ea, dhcp option 55, signature 37010F03062C2E2F1F21F92B
    Apr 1 10:00:24 :522019:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=0.0.0.0 Derived role 'NSU_WindowsXP' from user rules: utype=L2
    Apr 1 10:00:24 :522049:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=N/A User role updated, existing Role=NSU_WindowsXP/NSU_WindowsXP, new Role=NSU_WindowsXP/NSU_WindowsXP, reason= Setting role for user attributes
    Apr 1 10:00:24 :522004:  <DBUG> |authmgr|  MAC c8:d7:19:0f:2d:ea, dhcp option 43, signature 2BDC0100
    Apr 1 10:00:24 :522004:  <DBUG> |authmgr|  DHCP ACK mac c8:d7:19:0f:2d:ea, client ip 137.52.250.90, server ip 0.0.0.0
    Apr 1 10:00:27 :522026:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User miss: ingress=0x1a10, VLAN=1250
    Apr 1 10:00:27 :522049:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=0.0.0.0 User role updated, existing Role=NSU_WindowsXP/NSU_WindowsXP, new Role=NSU_WindowsXP/NSU_WindowsXP, reason=First IP user created
    Apr 1 10:00:27 :522006:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User entry added: reason=Sibtye
    Apr 1 10:00:27 :522270:  <DBUG> |authmgr|  During User miss marking the user c8:d7:19:0f:2d:ea with ingress 0x1a10, connection-type 2 as wireless, muxtunnel = no
    Apr 1 10:00:27 :522049:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User role updated, existing Role=NSU_WindowsXP/NSU_WindowsXP, new Role=NSU_WindowsXP/NSU_WindowsXP, reason=user role from UDR
    Apr 1 10:00:27 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing
    Apr 1 10:00:27 :522026:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User miss: ingress=0x1a10, VLAN=1250
    Apr 1 10:00:27 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing
    Apr 1 10:00:27 :522026:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea IP=137.52.250.90 User miss: ingress=0x1a10, VLAN=1250
    Apr 1 10:00:27 :522050:  <INFO> |authmgr|  MAC=c8:d7:19:0f:2d:ea,IP=137.52.250.90 User data downloaded to datapath, new Role=NSU_WindowsXP/117, bw Contract=0/0,reason=New user IP processing
    Apr 1 10:00:33 :501065:  <DBUG> |stm|  send_ageout_sta_ack 8170: Send ageout sta c8:d7:19:0f:2d:ea ack back to AP (137.52.187.158)
    Apr 1 10:00:33 :501114:  <NOTI> |stm|  Deauth from sta: c8:d7:19:0f:2d:ea: AP 137.52.187.158-d8:c7:c8:8d:e1:70-NTest-roof Reason 255
    Apr 1 10:00:33 :501065:  <DBUG> |stm|  send_ageout_sta_ack 8170: Send ageout sta c8:d7:19:0f:2d:ea ack back to AP (137.52.187.158)
    Apr 1 10:00:33 :501114:  <NOTI> |stm|  Deauth from sta: c8:d7:19:0f:2d:ea: AP 137.52.187.158-d8:c7:c8:8d:e1:60-NTest-roof Reason 255
    Apr 1 10:00:43 :501106:  <NOTI> |AP BL23_11@137.52.185.242 stm|  Deauth to sta: c8:d7:19:0f:2d:ea: Ageout AP 137.52.185.242-00:0b:86:df:e7:a1-BL23_11 handle_sapcp
    Apr 1 10:00:43 :501065:  <DBUG> |stm|  send_ageout_sta_ack 8170: Send ageout sta c8:d7:19:0f:2d:ea ack back to AP (137.52.185.242)
    Apr 1 10:00:43 :501114:  <NOTI> |stm|  Deauth from sta: c8:d7:19:0f:2d:ea: AP 137.52.185.242-00:0b:86:df:e7:a1-BL23_11 Reason 255
    Apr 1 10:00:43 :501080:  <NOTI> |AP BL23_11@137.52.185.242 stm|  Deauth to sta: c8:d7:19:0f:2d:ea: Ageout AP 137.52.185.242-00:0b:86:df:e7:a1-BL23_11 Denied: AP Ageout
    Apr 1 10:00:43 :501065:  <DBUG> |AP BL23_11@137.52.185.242 stm|  store_stale_sta 1678: sta c8:d7:19:0f:2d:ea saved to stale_sta_hash_table
    Apr 1 10:00:43 :501065:  <DBUG> |AP BL23_11@137.52.185.242 stm|  remove_stale_sta 1778: sta c8:d7:19:0f:2d:ea is freed and removed from stale_sta_hash_table
    Apr 1 10:00:45 :501065:  <DBUG> |stm|  send_ageout_sta_ack 8170: Send ageout sta c8:d7:19:0f:2d:ea ack back to AP (137.52.186.66)
    Apr 1 10:00:45 :501114:  <NOTI> |stm|  Deauth from sta: c8:d7:19:0f:2d:ea: AP 137.52.186.66-d8:c7:c8:18:ca:f3-N-Test_105 Reason 255
    Apr 1 10:04:07 :501065:  <DBUG> |stm|   Get Next/Get Request mac is c8:d7:19:0f:2d:ea



  • 15.  RE: Windows XP

    Posted Apr 01, 2014 11:48 AM

    See if it works based on the mac of the client.  Do a 'show user mac c8:d7:19:0f:2d:ea" after.

     

    set role condition macaddr equals c8:d7:19:0f:2d:ea set-value NSU_WindowsXP

     



  • 16.  RE: Windows XP

    Posted Apr 01, 2014 12:01 PM

    Michael,

     

    I did the mac address match and i worked. I tried with option 61 dhcp option 61, signature 3D01C8D7190F2DEA and it is working with this option instead of option 55



  • 17.  RE: Windows XP

    Posted Apr 01, 2014 12:07 PM

    That's great.  So your XP clients now get the correct vlan defined in the user-role, based on the dhcp-option-61 ?

     

     



  • 18.  RE: Windows XP

    Posted Apr 01, 2014 12:11 PM

    Yes, i tested with windows xp and windows 8 they get different roles.

     

    (HPD-LOCAL1) #show user-table mac c8:d7:19:0f:2d:ea

    Users
    -----
        IP               MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name     Roaming   Essid/Bssid/Phy             Profile   Forward mode  Type
    ----------      ------------       ------    ----           ----------  ----  --------  -------     -------   ---------------             -------   ------------  ----
    10.254.199.253  c8:d7:19:0f:2d:ea            NSU_WindowsXP  00:00:30                    N-Test_105  Wireless  NLT/d8:c7:c8:18:ca:fb/a-HT  OPEN_AAA  tunnel        Windows

    (HPD-LOCAL1) #show user-table mac 6c:88:14:5d:2d:dc

    Users
    -----
        IP               MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name     Roaming   Essid/Bssid/Phy             Profile   Forward mode  Type
    ----------      ------------       ------    ----      ----------  ----  --------  -------     -------   ---------------             -------   ------------  ----
    137.52.250.126  6c:88:14:5d:2d:dc            CPall     00:00:34                    N-Test_105  Wireless  NLT/d8:c7:c8:18:ca:fb/a-HT  OPEN_AAA  tunnel        Windows

     

    Does it make a difference matching option 61 instead of 55?



  • 19.  RE: Windows XP

    Posted Apr 01, 2014 12:17 PM

    I don't know about using 61 instead of 55.  It seems to be some sort of 'client-identifier', which may be unique to the individual device.

     

    You better test with some other XP machines.



  • 20.  RE: Windows XP

    Posted Apr 01, 2014 12:21 PM

    Yes i am trying to find additional xp machines to test. Hopefully, works when moving it to production.

     



  • 21.  RE: Windows XP

    Posted Mar 21, 2014 03:01 PM

    You can create a UDR rule using the following fingerprint if you would like to place them in a particular role or VLAN

     

    And the controller should already identifing those show user-table | include <  "Window XP" >

    2014-03-21 14_54_51-www.arubanetworks.com_wp-content_uploads_AOS-DHCP-FingerPrint-AppNote.pdf.png

    If you have Airwave you should able to identify these as well and run a report



  • 22.  RE: Windows XP

    Posted Mar 21, 2014 03:11 PM

    Thank you

     

    On Airwave i can see the number of clients currently running windows xp. However, it does not validate the fingerprinting option, am i correct?



  • 23.  RE: Windows XP

    Posted Mar 21, 2014 03:44 PM
    Airwave get this information from the controller through snmp,

    That AOS code should work