Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can you define Policy based on device type without Clearpass?

This thread has been viewed 1 times

  • 1.  Can you define Policy based on device type without Clearpass?

    Posted May 03, 2012 03:43 AM

    Hi there,

    With AOS6.x we have been advised that we can now identify the user device - such as an ipad vs iphone, vs droid for example.

    However we have been told that it is not possible to use this information to set an access policy on the controller or firewall to (for example) - only allow ipads to connect to an internal VLAN.

     

    Initial discussions with reseller indicates that this can only be done with Clearpass.

     

    Is this correct? If so - what advantage does being able to identify the device as an ipad provide in AOS6.x

    Cheers

    Wally



  • 2.  RE: Can you define Policy based on device type without Clearpass?

    Posted May 03, 2012 08:20 AM

    I would like to know this as well. Thanks for posting the question.



  • 3.  RE: Can you define Policy based on device type without Clearpass?

    Posted May 03, 2012 08:55 AM

    You can set a User Derivation Rule (UDR) under Authentication > User Rules.  That UDR can then be applied to your AAA profile.

     

     A UDR can match the DHCP fingerprint of a device and set a VLAN (for an iPad, set the DHCP option to 55/0x37 equals 370103060F77FC).  

     

    You can find other DHCP fingerprints by searching for "fingerprint" on Airheads.

     

    What you have been told, I think, is that you can't use the browser string detection of the OS (which is what you see when you do "show user") to enforce policies, since the client is already on the network once you see an http packet.

     

    Does that help?



  • 4.  RE: Can you define Policy based on device type without Clearpass?

    Posted May 03, 2012 02:31 PM

    Hi @Wally,

     

    At this moment we can accomplish fingerprinting in 2 ways: DHCP-based or HTTP user-agent field. The appnote on how they can be configured is here: http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

     

    Deriving roles can only be done via DHCP-based approach. I have listed a table below for common signatures using various DHCP option fields to expand on what @olino explained. 

     

    DHCP options could be classified as

    • device specific (i.e. a MAC address, hostname)
    • OS specific (i.e. Windows XP or iPhone/iPad)
    • unknown and not useful (i.e. requested IP address)

    Common options and categorisation

    Option Name Value (dec) Value (hex) Category Comment

    Client Identifier613dDevice specificMAC address of client, android seems to never send this
    Host Name120cDevice specific/OS SpecificOften this is device specific
    Vendor Class Identifier603cOS Specific
    Requested Parameter List5537OS Specific

    The two items above in red are the most useful. Vendor class becomes useful for dealing with
    Android devices especially, since they tend to exhibit different option 55 signatures model to model
    and manufacturer to manufacturer.

    Common OS/Devices - option 55 signatures

    OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

    Android 2.x55/0x37starts-with37017921030partial match, seen in Android 2.x (HTC,SGS), may varyjgoff
    Android 2.355/0x37equals3701792103061c333a3bSamsung Galaxy S with Android 2.3ChangHan
    Blackberry55/0x37equals370103060Funknown model of Blackberryjgoff
    iPhone/iPad55/0x37equals370103060F77FCCommon to most Apple i-devicesjgoff
    Macbook55/0x37equals370103060F775FFC2C2E2FApple Mac Book (assumed OS X)jgoff
    Maemo OS55/0x37equals370103060c0f111c28292aNokia N900 running Maemo OSkmohammed
    Nintendo DS55/0x37equals37010306 jgoff
    Playstation 355/0x37equals3701031c060f jgoff
    Symbian OS55/0x37equals370C060F01031C78Nokia N97 / SonyEricssonjgoff/dnie
    Win Mobile 6.x55/0x37equals370103060f2c2e2fSeen on HTC phones with Win Mobile 6.xdnie
    Win XP55/0x37equals37010f03062c2e2f1f21f92bexact match on WinXPChangHan
    Win Vista55/0x37equals37010f03062c2ef1f2179f92bexact match on VistaChangHan
    Win 7 (korean)55/0x37equals37010f03062c2ef1f2179f92bexact match on Win7 (korean edition)ChangHan
    Win 7 (eng)55/0x37equals37010f03062c2ef1f2179f92bexact match on Win7ChangHan
    Win (Multiple)55/0x37starts-with37010F03062C2E2F1Generic multi-version "windows"jgoff

    Common OS/Devices - option 60 signatures

    OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

    Android 2.x (multiple)60/0x3cstarts-with3c6468637063642034partial match on “dhcpcd 4” – caution: may match some linuxjgoff
    BlackBerry60/0x3cequals3c426c61636b4265727279match 'BlackBerry' optionjgoff
    Maemo OS60/0x3cstarts-with3c756468637020302e392e39partial match on "udhcpd 0.9.9", used in Nokia N900 Phoneskmohammed
    Windows CE60/0x3cequals3c4d6963726f736f66742057696e646f777320434500match "Microsoft Windows CE" - this may match MANY devicesdnie
    Windows (Multiple)60/0x3cequals3c4D53465420352E30match multiple windows versions with “MSFT 5.0”jgoff

    Not so common or to-be-(re)verified

    OS Match Option (dec/hex) Match Type Fingerprint Comment Contributed By

    Cisco 175055/0x37equals3701060F2C0321962Bcisco 1750 VPNjgoff
    Linux generic55/0x37starts-with37011C02030F0677Debian/Linux 2.6 genericjgoff
    Linux (unknown)55/0x37equals37011C02030F06770C2C2F1A792AtbdChangHan
    Linux Debian 2.6.3555/0x37equals37011c02030f06770c2c2f1aBacktrack 4 R2 dhclientjgoff
    Palm PDA55/0x37equals37011C02030F060Cunknown model of Palmjgoff
    Samsung s800055/0x37starts-with370102030405060708090C0D0F1011171A1C2A2C3233353638 jgoff
    Win CE Casio Scanner55/0x37equals370103060F2C2E2Funknown model of Casio scannerjgoff
    Win CE Symbol Scanner55/0x37equals370103060F2C2E2F4243unknown model of Symbol scannerjgoff