Security

All,

I have a customer that has multiple RAP3s and is looking to only allow specific Cisco phones onto the PoE port. I'm trying to do this with DHCP Fingerprinting. Unfortunately, Clearpass is not in the cards at this moment. I'm trying to put this solution together with the fingerprints found at Fingerbank:

https://github.com/inverse-inc/fingerbank/blob/master/dhcp_fingerprints.conf

I'm looking to format these into something that would be ecognizable on the Instants. I found a great discussion on this topic: 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/DHCP-Fingerprinting/td-p/12471

The fingerprint format discussed in that post was in this format:

Win 7 (eng) 55/0x37 equals 37010f03062c2ef1f2179f92b exact match on Win7 

The format in Fingerbank is in this format:

1,15,3,6,44,46,47,31,33,121,249,43,0,80

I opened up Wireshark and captured the DHCP traffic between my laptop and the router and I can see where Fingerbank is getting the above information. I took a look at the DHCP request and the above numbers correspond to the different parameters under "Bootstrap Protocol" > "Option 55," almost to a T.

The main question is how would I translate a Fingerbank DHCP fingerprint into something that can be used on an Instant? Has anyone done this before?

As always, thanks for the help!

-Mike

http://www.arubanetworks.com/vrd/AOSDHCPFPAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

Check out Chapter 2, deploying DHCP fingerprinting....

Colin,

Thanks for posting the updated link! The one in the previous discussion gives a 404 error.

That's debug DHCP with options command is very helpful!

Here's how I'm planning to procede:

1. I'm going to enable debugging on a test controller and pull the exact value for my laptop.

2. I'll then try another packet capture and take all of the decimal option 55 parameters

3. I'll then convert those individual values into hex and concatenate the string.

4. Based on that chapter, it looks like value should produce something that could be regex'd as a DHCP fingerprint.

5. The final step will be to take that concattnated string and compare it to a converted and concatenated string from Fingerbank.

I'll give that a whirl and post the results to this thread. Thanks for the help!

-Mike

Hi Colin,

I just did a packet capture on an Instant and a verbose DHCP debug on a controller and the decimal Option 55 exactly lined up with the hex variant on the controller.

My customer is looking to implement fingerprints for Cisco phones. I've translated the "Cisco IP Phone" section from the Fingerbank website from decimal into hex:

014206030f9623
014206030f962397
0103060f2a4296
011c42060f032396
0103060f23423396
0103060f2a423396
0103060f234296
0103060c0f1c2a429596
060301420f96
01030f060c234296

We're going to give the above a try using the role selection criteria and the contains function in the "Access" portion of the wired configuration. I'll post an update to this thread if it ends up going sideways.

Thanks!

-Mike

Hi Colin,

One additonal question for you. I'm working with a client to implement the DHCP fingerprinting on a wired instant port. The ability to do DHCP fingerprinting on a wireless SSID is an available option - but it seems to be missing on a wired instant port. 

Here's where I'm looking:

More > Wired > Select a role > "Edit" > Access tab > Role-Based > New Role Assignement Rule > Attribute

On the wireless side, there's an option for "dhcp-option" after "fw_mode;" this doesn't seem to be available on the wired instant port.

Do you know if this is an available feature and I'm not looking in the right place.

Thanks!

-Mike

Not supported on wired at this time, unfortunately...