Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Auto detecting Amazon Echo devices

This thread has been viewed 3 times

  • 1.  Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 07:20 AM

    Clearpass thinks the Amazon Echo I've connected to the network is a Kindle. Now I can fix this manually but its a real pain if you;re trying to reastrict the types of device conecting to the psk network and expecting an end user to connect their device.

     

     

    I've enabled IF-MAP on the mobility controller and its generating a User Agent string of the form shown below. Any way this is an Amazon Echo unique string ?

    Dalvik/2.1.0 (Linux; U; Android 5.1.1; AEORD Build/LVY48F)



  • 2.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 07:26 AM

    o.k. the clearpass definition of an Amazon Echo doesn;t have OUI 4cefco as one of the valid strings to identify an echo



  • 3.  RE: Auto detecting Amazon Echo devices

    EMPLOYEE
    Posted Jul 24, 2018 07:45 AM
    AEORD is the model number


  • 4.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 07:53 AM

    o.k. so how would I take the existing fingerprint for an Amazon Echo and

    a). add an extra OUI as per the device I've got

    b). add a check for a uer agent string containing AEORD

     

    ?

     

     



  • 5.  RE: Auto detecting Amazon Echo devices

    EMPLOYEE
    Posted Jul 24, 2018 07:56 AM
    You don't. You'd use it role mapping.


  • 6.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 08:14 AM

    o.k. thats the user agent string as per the example you had for legacy devices. ok makes sense.

     

    Is there an XML  schema for a device fingerprint we can use a template for creating our own custom fingerprints ?

     



  • 7.  RE: Auto detecting Amazon Echo devices

    EMPLOYEE
    Posted Jul 24, 2018 08:20 AM
    No, there's not.


  • 8.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 08:28 AM

    more to the point, if you create a custom fingerproint.... and its wrong, how do you delete a custom fingerprint?



  • 9.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 10:40 AM

    o.k. found how to delete a fingerpring ...but

     

    Got an echo that has the following setup as shown by access tracker

    I then created a custom fingerprint using

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
    <TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>
    <DeviceFingerprints>
    <DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">
    <FingerprintRules>
    <FingerprintRule match-conditions="ALL">
    <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>
    <RuleCondition name="dhcp.option55" operator="contains">
    <valueList>1,33,3,6,15,28,51,58,59</valueList>
    </RuleCondition>
    <RuleCondition name="dhcp.option60" operator="contains">
    <valueList>dhcpcd-5.5.6</valueList>
    </RuleCondition>
    <RuleCondition name="dhcp.options" operator="contains">
    <valueList>53,50,57,60,12,55</valueList>
    </RuleCondition>
    <RuleCondition name="mac" operator="contains">
    <valueList>34d270,40b4cd,fca667,8871e5,4cefc0</valueList>
    </RuleCondition>
    </FingerprintRule>
    </FingerprintRules>
    </DeviceFingerprint>
    </DeviceFingerprints>
    </TipsContents>

    Deleted the endpoint entry and rebooted the Echo..... and it still comes back as a Kindle, so why doesn't my custom fingerprint kick in first?

    A

     

     

    MAC VendorAmazon Technologies Inc.
    Added byPolicy Manager
    StatusKnown
    Device CategorySmartDevice
    Device OS FamilyAndroid
    Device NameKindle
    MAC Address4cefc0ae4bb6
    IP Address10.241.88.152
    Static IPfalse
    Hostnameamazon-488bf99be
    Profile Conflictfalse
    Added DateJul 24, 2018 15:32:59 BST
    Updated DateJul 24, 2018 15:32:59 BST
    Fingerprint Details -
    DHCP Option60["dhcpcd-5.5.6"]
    DHCP Options["53,50,57,60,12,55"]
    DHCP Option55

    ["1,33,3,6,15,28,51,58,59"]



  • 10.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 11:36 AM

    Gwtting closer..... If I just have

     

    <FingerprintRules>
    <FingerprintRule match-conditions="ALL">
    <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>
    <RuleCondition name="dhcp.option55" operator="contains">
    <valueList>1,33,3,6,15,28,51,58,59</valueList>
    </RuleCondition>
    <RuleCondition name="dhcp.option60" operator="contains">
    <valueList>dhcpcd-5.5.6</valueList>
    </RuleCondition>
    <RuleCondition name="dhcp.options" operator="contains">
    <valueList>53,50,57,60,12,55</valueList>
    </RuleCondition>
    <RuleCondition name="mac" operator="contains">
    <valueList>4cefc0</valueList>
    </RuleCondition>
    </FingerprintRule>
    </FingerprintRules>

     

    and only specify 1 OUI then it works! How do I specify multiple OUIs and mean if one of these exisits ....



  • 11.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 12:16 PM

    ermmm not quite, seems that lots of devices are now being treated as UoY Amazon Echo devices :-(



  • 12.  RE: Auto detecting Amazon Echo devices

    Posted Jul 24, 2018 12:17 PM

    However I;m learning a lot about fingerprint xml files :-)



  • 13.  RE: Auto detecting Amazon Echo devices

    Posted Jul 27, 2018 07:20 AM

    Seems adding the dhcp options causes CleaarPass not to categorise the device ... however . this does work - note the commented out bits

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">

    <TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>

     

    <!—

    Date: 27/07/18

    Name: Amazon-echo-fingerprint.xml

    Function; Create a locally defined fingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo”. Take the standard ClarPass definition and add the OUI of the device on my desk to the list of known ones.

    Gotchas: Seems that every though the dhcp options specified are what’s associated with a device, if you include them in the fingerprint, for a new device upon boot up it doesn’t get classified, so just here for  information

     

    —>

     

       <DeviceFingerprints>

        <DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">

          <FingerprintRules>

            <FingerprintRule match-conditions="ALL">

              <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>

    <RuleCondition name="device.family" operator="contains" value="Android"/>

    <!-- OUI prefixes for the default ClearPass Amazon Echo fingerprint and addition of the one on my desk -->

              <RuleCondition name="mac" operator="contains" >

    <valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

              </RuleCondition>

    <!-- Even though these are the options associated with the Amazon Echo on my desk, including them causes clearpass NOT to recognise the device u[on 1st boot up-->

    <!--

    <RuleCondition name="dhcp.option60" operator="contains" >

    <valueList>["dhcpcd-5.5.6"]</valueList>

              </RuleCondition>

    <RuleCondition name="dhcp.option55" operator="contains" >

    <valueList>["1,33,3,6,15,28,51,58,59"]</valueList>

              </RuleCondition>

    <RuleCondition name="dhcp.options" operator="contains" >

    <valueList>["53,50,57,60,12,55"]</valueList>

              </RuleCondition>

    -->

            </FingerprintRule>

          </FingerprintRules>

        </DeviceFingerprint>

      </DeviceFingerprints>

    </TipsContents>