Wireless Access

we are trying to move all the androids and the iphones in a specific VLAN where. Is this possible using dhcp finger print?

Adrian 

Edited; see Colin's response below:

No, this is not possible as the fingerprinting takes place after the device is requesting a DHCP address (thus already assigned to a VLAN).   

This works as of ArubaOS 6.2 and above with open and encrypted SSIDs:

any other opinions? If this is possible will you please add the required steps for setting it up?

thanks

---

@Adrian.lupea@dc-uoit.ca wrote:

any other opinions? If this is possible will you please add the required steps for setting it up?

 

thanks

---

The screenshot is from the 6.2 release notes.  The DHCP fingerprinting app note is here:  http://www.arubanetworks.com/wp-content/uploads/AOS-DHCP-FingerPrint-AppNote.pdf?repo=tech

1) Set up the UDR under Security > Authentication > User Rules

2) Apply the UDR to the AAA profile

Thank you all for the reply. Tim I have doen these steps but I ma not sure what to do next. maybe I should provide more info. We have a M3k with over 400 105 AP and 30 VLANs in a even pool. we have probably over 50% of the devices connected iphones and androids. We have issues with DHCP scopes being full and even managing the lease time  down to 30 minutes will crate a such a big difference between user, IPs in the controller VLAN and IPs in the DHCP server ( external) like 2500/3000/5500. The DHCP requests/renewal trigger DNS updates also and that is something we will try to avoid by moving all the iphones and androids in a differnet pool where we can mamage the DHCP scope t o not provide DNS pointers at all. We need the DNS for LAN Desk. Now if I will fingerprint the androids as an examle how I will manage to assign them to a different VLAN pool?

Tim how do you manage this without clearpass?

Adrian

You can assign a single VLAN or a VLAN pool in the UDR.

After you have applied the UDR to the AAA profile, the configuration is complete.

Since you are using DHCP options instead of profiling data, ClearPass is not required for this situation.

Thanks Tim. It still doesn't work. I can see the devices being assigned to different VLANs. Anything that needs to be done in the DHCP server?

What type of authentication are you using on the SSID?

802.1x with the user derivation rule crated "android"

---

@Adrian.lupea@dc-uoit.ca wrote:

802.1x with the user derivation rule crated "android"

---

Adrian.Lupea, 

What version of ArubaOS are you using?

Are clients being put into that role with the user derivation rule?

Are clients being put into that VLAN? (show user-table verbose)

ArubaOS ver 6.1.3.5

I have only one role and I have added the user derivation rule to that role so all devices are in the same role.

Some of them are some of them are not.

adrian

---

@Adrian.lupea@dc-uoit.ca wrote:

ArubaOS ver 6.1.3.5

I have only one role and I have added the user derivation rule to that role so all devices are in the same role.

Some of them are some of them are not.

 

adrian

---

Adrian,

For this to work with 802.1x you need to be running ArubaOS 6.2 and above (please see release notes screenshot in a previous post).  It will NOT work with 6.1.x

Thanks. I have missed that. I will upgrade.

Adrian

It's working so far. Hope that this will be the solution. Thanks eveyone.

adrian

Although I have a certain number of devices in the assigned VLAN the controller doesn't capture a large number of them. Here are my questions:

1. Is there more DHCP fingerprinting that I can use beside 3C64686370636420342E302E3135?

2. I can see a lot of devices are not authenticated but that will not stop them form receiving an IP. Is there a way to not allow an IP until logged in?

3. Anybody noticed a discrepancy on the users numbers between dashboard and monitoring screens? there are more users in the monitoring>clients and all of them have IPs and there are less users in the dashboard and a lot of users are not displaying any IPs.

thanks,

Adrian

we are facing issues with device finger printing 

controller: 6000

OS:6.3.0.2

ssid : 802.1x with windows 8 nps

dhcp: windows 8 dhcp server 

Issue: There are  three ap groups for three buildings, when user moves from one group to another the user rule which is set to assign vlan based on the device type doen't work . for eg 

ap group 1 . all ipads -vlan 1 ssid: staff

ap group 2 .all ipads -vlan 2  ssid: staff

device type:ipad

when the user is in ap group 1 the user rule assign ip from vlan 1 but when the user moves to ap group 2 the ipaddress is still from vlan1 ,  however if we connect to another ssid and get a different ip  (say guest) and try to reconnect back to the staff ssid then the device will get ipadress from vlan2 . Any help

Thanks

---

@binujacob wrote:

we are facing issues with device finger printing 

controller: 6000

OS:6.3.0.2

ssid : 802.1x with windows 8 nps

dhcp: windows 8 dhcp server 

 

Issue: There are  three ap groups for three buildings, when user moves from one group to another the user rule which is set to assign vlan based on the device type doen't work . for eg 

ap group 1 . all ipads -vlan 1 ssid: staff

ap group 2 .all ipads -vlan 2  ssid: staff

device type:ipad

 

when the user is in ap group 1 the user rule assign ip from vlan 1 but when the user moves to ap group 2 the ipaddress is still from vlan1 ,  however if we connect to another ssid and get a different ip  (say guest) and try to reconnect back to the staff ssid then the device will get ipadress from vlan2 . Any help

Thanks

 

---

If you have a client that is roaming from one access point to another on the same SSID, the client will assume that it is on the same VLAN and not attempt to obtain a new ip address.  If you change the VLAN in the background the client will think it is on the same VLAN and NOT obtain a different DHCP address.  If you change SSIDs, however the client will always attempt to get another DHCP address because it assumes it will be on a new VLAN.  Do not design your network where the network is changed in the background when your client roams to another access point on the same SSID.  It will not work in the majority of cases and is not a good strategy.

we are forced to do this because of the apple tv /ipad airplay issues

we have more 128 apple tv's distributed across the campus . ipad have  limitation of displaying only 64 apple tv's in airplay 

so what we did is as below

divided the campus in to three ap groups based on building

ssid -staff-building 1-ap group 1 - aaa servers -group 1 - apple tv's in vlan1 (wired) - staff will get vlan 1     (no: of apple tv's 40)

ssid-staff -building 2 -ap group 2 - aaa servers -group 2 - apple tv's in vlan 2 (wired) - staff will get vlan 2   (no: of apple tv's 40)

ssid-staff -building 3 -ap group 3 - aaa servers -group 3 - apple tv's in vlan 3 (wired) - staff will get vlan 3   (no: of apple tv's 48)

This is working perefectly fine with out enabling airplay on aruba and client romaing is also fine . when staff goes from ap group 1 to ap group- 2 device gets the correct vlan and dhcp . This is working fine with windows/ios/android. Now what we are trying is using device finger printing trying to isolate ipad's by putting the user specific rules . when we enable user specifi rule and the user roams from one ap group to other the vlan doesn't changes automatically ,however if we disconnect and connect to guest network and get a different lease and reconnect back to staff ssid then the vlan /dhcp comes correctly . any advise 

Thanks

Binu