SlideShare uma empresa Scribd logo

ArubaOS DHCP Fingerprinting

Aruba, a Hewlett Packard Enterprise company
Aruba, a Hewlett Packard Enterprise company

This guide focuses on configuration of DHCP fingerprinting, which is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access. To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com

NegóciosTecnologia
1 de 23
Baixar para ler offline
                                                                                ArubaOS DHCP Fingerprinting   Version 1.0
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. 2           Copyright   © 2011 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotect®, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba will assume no responsibility for any errors or omissions. Open Source Code   Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (“GPL”), GNU Lesser General Public License (“LGPL”), or other Open Source Licenses. The Open Source code used can be found at this site:   http://www.arubanetworks.com/open_source   Legal Notice   ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WEATHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, ACCURACY AND QUET ENJOYMENT. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF ARUBA EXCEED THE AMOUNTS ACUTALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURSHASED DIRECTLY FROM ARUBA, WHICHEVER IS LESS.     Warning and Disclaimer   This guide is designed to provide information about wireless networking, which includes Aruba Network products. Though Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, this guide and the information in it is provided on an “as is” basis. Aruba assumes no liability or responsibility for any errors or omissions. ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, ACCURACY, AND QUIET ENJOYMENT. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF ARUBA EXCEED THE AMOUNTS ACTUALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURCHASED DIRECTLY FROM ARUBA, WHICHEVER IS LESS. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice.                                 www.arubanetworks.com   1344 Crossman Avenue Sunnyvale, California 94089   Phone: 408.227.4500 Fax 408.227.4550
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Table of Contents | 3           Table of Contents   Chapter 1: Introduction 4   Reference Material 5   Chapter 2:   Deploying DHCP Fingerprinting   6   Prerequisites 6   Product Availability 7   What is a DHCP Fingerprint? 7   Identifying a DHCP Fingerprint 9   User Role Creation 11   User Role Derivation 15   Chapter 3:   User Role Life Cycle   17   Connecting to the Wireless Network 17   802.1X Authentication 18   DHCP Exchange 19   Validating DHCP-Derived User Roles 19   Conclusion 20   Appendix A:   Validated DHCP Fingerprint   21   Appendix B:   Contacting Aruba Networks   22   Contacting Aruba Networks 22
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Introduction | 4           Chapter 1: Introduction       The explosive growth of mobile devices has challenged the network IT staff because mobile devices lack the option to connect using Ethernet, which is the dominant wired access technology. Leading industry analyst forecasts predict that by 2015 only 15% of the devices will have built-in Ethernet capability, as shown in Growth of mobile devices . As more of these devices connect using the enterprise wireless LAN, network administrators have noted that an employee typically has gone from using a single device to using three or more devices.   As network engineers get ready to support large numbers of smartphones and tablets in addition to laptops and desktops, they are realizing the importance of reliably identifying mobile devices. Gaining visibility into mobile device types is essential for network engineers to build granular access policies to maintain security and quality of service (QoS) for critical enterprise applications. This application note describes one such tool, ArubaOS DHCP Fingerprinting, which empowers the network engineers to reliably identify devices and to build and enforce device-specific policies.   Figure 1 Growth of mobile devices
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Introduction | 5           Table 1 lists the current software versions for this guide.   Table 1 Aruba Software Versions   Product Version ArubaOS™ (mobility controllers) 6.1 ArubaOS (mobility access switch) 7.0 Aruba Instant™ 1.1 MeshOS 4.2 AirWave® 7.3 AmigopodOS 3.3     Reference Material    This guide assumes a working knowledge of Aruba products. This guide is based on the network detailed in the Aruba Campus Wireless Networks VRD and the Base Designs Lab Setup for Validated Reference Design. These guides are available for free at http://www.arubanetworks.com/vrd.  The complete suite of Aruba technical documentation is available for download from the Aruba support site. These documents present complete, detailed feature and functionality explanations outside the scope of the VRD series. The Aruba support site is located at: https://support.arubanetworks.com/. This site requires a user login and is for current Aruba customers with support contracts.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 6           Chapter 2: Deploying DHCP Fingerprinting       DHCP fingerprinting is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access. Because the system relies on user-defined roles, each organization can develop a system that meets their unique requirements.     Prerequisites   This section describes the prerequisites and dependencies for the ArubaOS DHCP fingerprinting feature.   1. The ArubaOS DHCP fingerprinting feature is available on the mobility controller and mobility access switch platforms running ArubaOS version 6.0.1 or later.   2. The PEFNG license must be present on the platform to assign user roles using the ArubaOS DHCP fingerprinting feature.   3. Clients must be set up to request IP addresses automatically using DHCP.   4. The controller must be in the data path of DHCP exchange, but it does not have to be the DHCP server.   5. There are additional requirements based on the forwarding mode of the AP. Table 2 lists the forwarding mode and platform dependencies.   Table 2 DHCP Fingerprinting Availability by Forwarding Mode and Platform   Platform Forwarding Mode DHCP Fingerprinting Available Campus and remote AP Tunnel mode Yes Campus and remote AP Bridge mode No Campus and remote AP Decrypt-tunnel mode Yes Remote AP Split-tunnel mode Yes. Limited to VLANs that are tunneled to the controller. Mobility access switch Tunneled node Yes
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 7           Product Availability   Table 3 describes the DHCP fingerprint availability by platform.   Table 3 Product Availability   Platforms DHCP Fingerprinting Available Mobility Controller – 600, 3000, and M3 Series platforms Yes All Mobility Access Switch platforms Yes. Limited to VLANs that are tunneled to the controller All Instant AP platforms No     What is a DHCP Fingerprint?   DHCP is a client/server protocol. As shown in Figure 2, the DHCP client exchanges a series of packets with the DHCP server to obtain a unique IP address and other important networking information, such as the default gateway and DNS server.       Figure 2 DHCP protocol exchange   However, the DHCP protocol is not limited to obtaining basic IP networking information. It includes the flexibility to exchange vendor-specific information about the hardware or operating system of the device. This exchange is done by using DHCP options as defined by RFC 2132 (http://www.ietf.org/rfc/ rfc2132.txt). Use of DHCP options is vendor-, device-, and OS-dependent, which creates significant differences in the DHCP packets generated by various devices and thus constitutes a DHCP
Arub.OS DHCP Fingerprin'"g Applia tion Note ArubaNetworl<s,Inc. Deplo)ingDHCPFingerprinting 1 8     ........ ........ ·- t·-·l••l·-·1---13 I ........       "fingerprint" Figure 3 is an example of the options included in aDHCP DISCOVER message by an Apple iPad device.   oo Ineernee Proeocol , src: 0.0.0.0(0.0.0.0), Dse: 255.255.255.255(255.255.255.255) oo user Daeagram Proeocol , src Pore: booepc(68 , Dse Pore: booeps(67) B Booeserap Proeocol Message eype: Booe Requese (1) Hardware eype: Eehernee Hardware address lengeh: 6 Hops: 0 Transaceion ID: Oxd94e2ba0 seconds elapsed: 1 oo Booep flags: OxOOOO(unicase) cl iene IP address: 0.0.0.0(0.0.0.0) Your(cl iene) IP address: 0.0.0.0(0.0.0.0) Nexe server IP address: 0.0.0.0(0.0.0.0) Relay agene IP address: 0.0.0.0(0.0.0.0) cl iene MAC address: Apple_1b:40:31(a4:d1:d2:1b:40:31) cl iene hardware address padding: 00000000000000000000 server hose name noe gi ven Booe fi le name noe gi ven Magic cookie: DHCP oo Opeion: (e=53,1=1)DHCP Message Type = DHCP Discover B Opeion: (e=55,1=6)Parameeer Requese Lise Opeion: (55)Parameeer Requese Lise Lengeh: 6 value: 0103060f77fc 1 subnec Mask 3 = Roueer 6 = Domain Name server 15 = Domain Name 119 = Domain search [TODO:RFC3397] 252 = Pri vaee/Proxy aueodiscovery oo Opeion: (e=57,1=2)Maxi mum DHCP Message size = 1500 oo Opeion: (e=61,1=7)cl iene ideneifier oo Opeion: (e=51,1=4) IP Address Lease Ti me = 90 days oo opeion: (e=12,1=5)Hose Name = "i pad2" End Opeion Padding     uucu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu ........ ........ OOdO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 OOeO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OOfO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0120 0130 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 ........ c.sc5..tlj 39 02 05 de 3d 07 01 a4 0 0 - . 0 0 0 0140 d2 1 40 31 33 04 00 76 a7 00 Oc 05 69 70 61 64 ....i pad 0150 32 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0160 00 00 00 00 00 00 00 00 00 00 00 00   Figure3 Optionsin a DHCP DISCOVER message
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 9     arun_0485       The ArubaOS DHCP fingerprinting feature instructs the stateful firewall to inspect the DHCP packet exchange and identify the device or OS type. Firewall rules can then be used to derive roles for the specific device or OS type.     Identifying a DHCP Fingerprint     DHCP DNS         Mobility controller Mail Directory                     Air monitor           Client Client   Figure 4 Network diagram with an ArubaOS controller in the DHCP data path   ArubaOS DHCP fingerprinting relies on the stateful inspection of DHCP packet exchange, so it is required that the Aruba Mobility Controller is in the data path of the DHCP exchange. However, the mobility controller is not required to be the DHCP server. ArubaOS stateful firewall logs the DHCP options in the DHCP packets along with the MAC address of the client. To begin the process of examining a DHCP fingerprint, some debugging commands need to be set to make the packets visible. This process can be done either from the web interface or the CLI. We are looking for a value that is unique to a class of device. In cases where more than one DHCP fingerprint is found, any can be used. Typical values of DHCP options are hex: 0c, 37, 3c, or 51. These values correspond to DHCP option numbers: 12, 55, 60, or 81. The goal is to find a value that is unique to that device.   If multiple clients are connecting at the same time, be sure to select the DHCP signature that matches the test device MAC address. Log messages can also be restricted to show output that matches the specific MAC address of the test device. It is a best practice to validate the DHCP signatures using several devices of same type. For a list of validated DHCP signatures developed by the Aruba QA team, see Appendix A: Validated DHCP Fingerprint on page 21.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 10           Using the WebUI   1. Set the logging level for dhcp sub-category to level debugging. Navigate to Configuration Management  Logging Levels. 2. Navigate to Monitoring  Debug  Process Logs. 3. From the right-side frame, select the Search function and select Filter Criteria: Include and String: Options. Click Display. The logs automatically refresh.     Figure 5 Filter options   4. Ensure that the wireless client is set up for DHCP and connect to the wireless network. 5. Watch the filtered logs section for matching log messages. When the client sends out the DHCP DISCOVER or REQUEST packet, a log message that contains the DHCP option is generated. Figure 6 shows a log message from an Apple iPad device with MAC address a4:d1:d2:1b:40:31.                 Figure 6 Using WebUI log filtering to identify a DHCP fingerprint   The numerals displayed in the log message correspond to DHCP option 55 (37 in hex notation). In hexadecimal notation, option code 37 is followed by its operand values. The combined string forms the DHCP fingerprint 370103060F77FC.   Using the CLI   1. Ensure that the wireless client is set up for DHCP and connect to the wireless network. Note the wireless client MAC address. From the CLI, enter the “config terminal” context and enable logging level debug for DHCP.   (config)# logging level debugging network 2. Issue the CLI command to show log entries that match the MAC address of the client device being fingerprinted.   (config)#show log network all | include Options
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 11           3. Watch the filtered log messages for DHCP options. The output in Figure 7 is for an Apple iPad device with MAC address a4:d1:d2:1b:40:31.   (LC1-Sunnyvale-6000) (config) #show log all | include Options Sep 7 11:38:08 dhcpdwrap[1829]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan900: REQUEST a4:d1:d2:1b:40:31 reqIP=192.168.200.248 Options 37:0103060f77fc 39:05dc 3d:01a4d1d21b4031 36:c0a8c814 0c:6970616432   Figure 7 Using CLI log filtering to identify a DHCP fingerprint   From the log message output, we find DHCP options 55, 12, 50, and 51 (hex 37, 0C, 32, and 33 respectively). Based on Aruba internal testing, we have found that reliable DHCP signatures include DHCP options 12, 55, 60, and 81. We can use any of these options to build a DHCP signature. For example, if we select the option 55 (hex 37), to create a DHCP fingerprint, drop the colon (”:”) and include all the hex numerals before and after the colon. The DHCP fingerprint for device with MAC a4:d1:d2:1b:40:31 is 370103060F77FC.     User Role Creation   In an Aruba user-centric network, every device is associated with a user role based on login credentials, among other things. This same concept is extended to derive roles based on device type. For detailed configuration steps for roles and policies, refer to ArubaOS 6.1 User Guide, Chapter 12.   In our example, an enterprise has a mobile device access policy for two popular mobile device platforms, Apple iOS and Android, as shown in Table 4. Each class of device has a desired policy as determined by the organization. These policies are implemented by defining rules and applying them to the appropriate device-specific user role.   Table 4 Sample Mobile Device Access Policy for Android and iOS Devices   Mobile Device Platform Enterprise Access Policy Apple iOS Allow access to the corporate internal network via https only. Allow full access to the Internet. Android Deny all access to the corporate internal network. Allow full access to the Internet.   When devices connect to the WLAN network, they require a minimum set of services such as access to DHCP and DNS services. These services are defined in the Common-Policy and they are common to Apple iOS and Android device roles. Android devices are blocked from accessing the corporate internal network, while Apple iOS devices are allowed access to the internal network only through https. This permission is implemented in the block-internal-access and allow-corporate-https policies respectively. Finally, full access to the Internet is achieved by adding the allow-all policy as the last policy in the role.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 12           Configuration for Common Policies Shared by Android and iOS Devices   ip access-list session common user any udp 68 deny any any svc-dhcp permit any any svc-icmp permit user alias dns-servers svc-dns permit   Figure 8 Common policies shared by Android devices   Next we will configure the access to internal resources, which will be used for the allow policy for iOS and for the deny policy for Android. For this setup, we will create a network destination alias. Netdestinations allow you to specify blocks of addresses and later make changes to those blocks without rewriting firewall policy.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 13           Internal Corporate Network Destinations   netdestination Internal-Network network 10.0.0.0 255.0.0.0 network 172.16.0.0 255.255.0.0 network 192.168.0.0 255.255.0.0   Figure 9 Internal corporate network destinations   Next we will create two policies, one that allows corporate resources to be accessed via HTTPS, and one that denies all access to those same resources. First we will configure the iOS policy, then the Android policy.   Configuration for the iOS allow-corporate-https Policy   ip access-list session allow-corporate-https user alias Internal-Network svc-https permit user alias Internal-Network any deny     Figure 10 Configuration for the iOS allow-corporate-https policy
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 14           Configuration for iOS Device Role   user-role iOS-Device-Role access-list session common access-list session allow-corporate-https access-list session allowall     Figure 11 Policies for iOS device role   Policies for Android Devices   user-role Android-Device-Role access-list session common access-list session block-internal-access access-list session allowall     Figure 12 Policies for Android devices
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 15           User Role Derivation   After a DHCP fingerprint has been identified and the device-specific roles have been created, we can now configure the policy for the devices. To get the correct policy assigned, we use “user rules” to change the devices role. Roles that are derived using DHCP fingerprinting take precedence over those derived using other methods, such as server-derived roles or roles derived using an Aruba vendor- specific attribute (VSA). This precedence means that roles derived by the DHCP fingerprint feature prevail even if the RADIUS server is set up to return a role attribute that is different. This functionality allows users to log into a device such as a laptop and receive a normal role via RADIUS, and then use the same credentials on an iPad and receive a different device role. Roles are derived based on information learned from DHCP exchange, so devices receive this role after successful 802.11 association and Layer 2 authentication. For this reason, a role derived using DHCP fingerprinting is referred as the post-authentication role. It is important to note that while several ways are available for deriving a role in ArubaOS, DHCP fingerprinting is different from all of them. DHCP fingerprinting operates on attributes that become available after a successful authentication, which extends the role-derivation capability in a powerful way.           N O T E DHCP fingerprinting is classified as one of the methods under the user-derived role framework. However, it differs from other methods in an important respect. DHCP fingerprinting has higher precedence than all other role-derivation methods.     To derive device-specific roles from the WebUI and the CLI, follow these steps.   Using the WebUI   1. Navigate to Configuration  Security  Authentication. 2. Click User Rules. Click Add to add a user-derived rule. 3. Choose a name for the user-derived rule. See example byod-rules. 4. Click Add to add a new rule set. The screen in Figure 13 is displayed.   Figure 13 Adding rules to derive roles using DHCP Option from WebUI   5. For Set Type, choose Role to derive roles. 6. For Rule Type, choose DHCP-Option.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 16           7. For Condition, choose equals. This rule is set up especially to match DHCP option and its operand values in hex, so equals and starts-with are the only allowed conditions. 8. In the Value field, copy and paste the DHCP fingerprint. Ensure that no colon characters or extra whitespace are included and that only the hex numerals are included. 9. For Roles, choose the device-specific role that was created earlier.   Using the CLI   From the CLI, enter the “config terminal” context and issue the following commands: aaa derivation-rules user byod-rules set role condition dhcp-option equals "3C64686370636420342E302E3135" set-value Android-Device- Role description "Android devices" set role condition dhcp-option equals "370103060F77FC" set-value iOS-Device-Role description "iOS devices"
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 17           Chapter 3: User Role Life Cycle       ArubaOS DHCP fingerprinting provides an easy method to distinguish a user connected on corporate- issued laptop vs. another mobile device. When the corporate user connects to the Aruba system using the corporate laptop and the personal device, they receive different user roles. In this section, we follow the clients through various connectivity states, highlight the relevant configuration profiles, and describe how they influence the selection of user roles.     Connecting to the Wireless Network   When users scan the available wireless networks, they see the SSID that is defined in the SSID profile “corp-employee”. This SSID requires 802.1X authentication. This profile is configured in the Wireless LAN  Virtual AP context.     Figure 14 SSID profile for the Corp-Employee wireless network
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 18           In a typical enterprise, PEAP with MSCHAPv2 is a popular choice for 802.1X authentication. Users must login with their corporate credentials and passwords. This process is routine on the laptops. The process is similar on mobile devices. Users are now authenticated to the network based on their unique user credentials. The authentication process uses the AAA profile defined in the virtual AP profile as seen in Figure 15.                                                             Figure 15 AAA profile for corp-employee virtual AP profile     802.1X Authentication   The mobile device and laptop complete the 802.1X authentication and four-way handshake and derive the unique Pairwise Master Key (PMK) that is used to secure all further data transactions. Based on the AAA profile “corp-employee”, we see that both clients initially get the “logon” role as defined by the initial role setting. However this role is transient and clients soon migrate to new roles based on the user derivation rules, which are linked to the same AAA profile as shown in Figure 16.                             Figure 16 Initial role and user derivation rules in the AAA corp-employee profile
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 19           DHCP Exchange   At this point, the previously constructed user rule “byod-rules” comes into play. Specifically, when the clients are evaluated against this rule set, the Apple iPad matches the second rule and the corporate Windows laptop does not yield a match. As per our rule definition, the Apple iPad progresses to receive the “iOS-Device-Role”, and the corporate Windows laptop receives the “802.1X Authentication Default” role “employee” as defined by the AAA profile “corp-employee” shown in Figure 16 and Figure 17.   Figure 17 Rule set to derive device-specific roles     Validating DHCP-Derived User Roles   To view the client statistics, navigate to the controller Monitoring  Clients as seen in Figure 18. Verify that devices have been correctly detected and assigned appropriate roles. It is also interesting to note the Device Type column. Here Windows corporate laptops are identified by operating system type even though no DHCP fingerprint has been defined for the Windows corporate laptops.   This operating system identification is a result of a separate but related feature mechanism to detect device types. It operates by parsing the user-agent string (also known as the browser ID) in HTTP packets. This parsing is enabled by the Device Type Classification checkbox in the AAA profile. This feature is enabled by default. The user-agent string can be changed easily by misbehaving applications or intentional user action, which makes them less than reliable for user derivation roles.                     Figure 18 Monitor clients and verify the user roles from the WebUI
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 20           Conclusion   Enterprises and employees are rapidly adopting next-generation smartphones and tablet devices. Wireless is the only way to connect these devices to the network and WLAN is the primary method of connecting to an enterprise network. IT staff require tools that enable them to control the network usage, applications, content, and bandwidth and gain greater visibility into the user and type of devices. ArubaOS delivers a powerful new tool, DHCP fingerprinting, which enables IT staff to create and enforce granular policies per device, per application, and per user. This added functionality is made possible using the same Aruba WLAN infrastructure without adding additional appliances or re- architecting the network.
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Validated DHCP Fingerprint | 21           Appendix A: Validated DHCP Fingerprint       These device fingerprints must be used with an exact-match rule in ArubaOS.   Device DHCP Option DHCP Fingerprint Apple iOS Option 55 370103060F77FC Android Option 60 3C64686370636420342E302E3135 Blackberry Option 60 3C426C61636B4265727279 Windows 7/ Vista Desktop Option 55 37010f03062c2e2f1f2179f92b Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX (10.6 and below) Apple Mac OSX (10.7 and above) Option 55 370103060f775ffc2c2e2f 370103060f775ffc2c2e
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Contacting Aruba Networks | 22           Appendix B: Contacting Aruba Networks       Contacting Aruba Networks   Web Site Support Main Site http://www.arubanetworks.com Support Site https://support.arubanetworks.com Software Licensing Site https://licensing.arubanetworks.com/login.php Wireless Security Incident Response Team (WSIRT) http://www.arubanetworks.com/support/wsirt.php Support Emails   Americas and APAC support@arubanetworks.com EMEA emea_support@arubanetworks.com WSIRT Email Please email details of any security problem found in an Aruba product. wsirt@arubanetworks.com   Validated Reference Design Contact and User Forum Validated Reference Designs http://www.arubanetworks.com/vrd VRD Contact Email referencedesign@arubanetworks.com AirHeads Online User Forum http://airheads.arubanetworks.com   Telephone Support Aruba Corporate +1 (408) 227-4500 FAX +1 (408) 227-4550 Support  United States +1-800-WI-FI-LAN (800-943-4526)  Universal Free Phone Service Numbers (UIFN):  Australia   Reach: 1300 4 ARUBA (27822)  United States 1 800 9434526 1 650 3856589  Canada 1 800 9434526 1 650 3856589  United Kingdom BT: 0 825 494 34526 MCL: 0 825 494 34526
ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Contacting Aruba Networks | 23             Telephone Support  Universal Free Phone Service Numbers (UIFN):  Japan   IDC: 10 810 494 34526 * Select fixed phones IDC: 0061 010 812 494 34526 * Any fixed, mobile & payphone KDD: 10 813 494 34526 * Select fixed phones JT: 10 815 494 34526 * Select fixed phones JT: 0041 010 816 494 34526 * Any fixed, mobile & payphone  Korea   DACOM: 2 819 494 34526 KT: 1 820 494 34526 ONSE: 8 821 494 34526  Singapore   Singapore Telecom: 1 822 494 34526  Taiwan  (U)   CHT-I: 0 824 494 34526  Belgium   Belgacom: 0 827 494 34526  Israel   Bezeq: 14 807 494 34526 Barack ITC: 13 808 494 34526  Ireland   EIRCOM: 0 806 494 34526  Hong  Kong   HKTI: 1 805 494 34526  Germany   Deutsche Telkom: 0 804 494 34526  France   France Telecom: 0 803 494 34526  China  (P)   China Telecom South: 0 801 494 34526 China Netcom Group: 0 802 494 34526  Saudi  Arabia   800 8445708  UAE   800 04416077  Egypt   2510-0200 8885177267 * within Cairo 02-2510-0200 8885177267 * outside Cairo  India   91 044 66768150  

Recomendados

EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
Aruba, a Hewlett Packard Enterprise company
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
WLAN Design for Location, Voice & Video
WLAN Design for Location, Voice & VideoWLAN Design for Location, Voice & Video
WLAN Design for Location, Voice & Video
Aruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsManaging and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANs
Aruba, a Hewlett Packard Enterprise company
 
Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
Aruba, a Hewlett Packard Enterprise company
 

Recomendados

EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
Aruba, a Hewlett Packard Enterprise company
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
WLAN Design for Location, Voice & Video
WLAN Design for Location, Voice & VideoWLAN Design for Location, Voice & Video
WLAN Design for Location, Voice & Video
Aruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANsManaging and Optimizing RF Spectrum for Aruba WLANs
Managing and Optimizing RF Spectrum for Aruba WLANs
Aruba, a Hewlett Packard Enterprise company
 
Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshootingEMEA Airheads- ArubaOS - Rogue AP troubleshooting
EMEA Airheads- ArubaOS - Rogue AP troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
Apple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass GuestApple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass Guest
Aruba, a Hewlett Packard Enterprise company
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOS
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.xEMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.x
Aruba, a Hewlett Packard Enterprise company
 
3 aruba arm and cm
3 aruba arm and cm3 aruba arm and cm
3 aruba arm and cm
Venudhanraj
 
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyWi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP Deployment
Aruba, a Hewlett Packard Enterprise company
 
Aruba Remote Access Point (RAP) Networks Validated Reference Design
Aruba Remote Access Point (RAP) Networks Validated Reference DesignAruba Remote Access Point (RAP) Networks Validated Reference Design
Aruba Remote Access Point (RAP) Networks Validated Reference Design
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2 EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2
Aruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation GuideAruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation Guide
Aruba, a Hewlett Packard Enterprise company
 
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
Aruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba CentralAirheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
Base Designs Lab Setup for Validated Reference Design
Base Designs Lab Setup for Validated Reference DesignBase Designs Lab Setup for Validated Reference Design
Base Designs Lab Setup for Validated Reference Design
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Instant AP traffic optimization
EMEA Airheads- Instant AP traffic optimizationEMEA Airheads- Instant AP traffic optimization
EMEA Airheads- Instant AP traffic optimization
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performanceEMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performance
Aruba, a Hewlett Packard Enterprise company
 
Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-Fi
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Instant AP- Instant AP Best Practice Configuration
EMEA Airheads- Instant AP- Instant AP Best Practice ConfigurationEMEA Airheads- Instant AP- Instant AP Best Practice Configuration
EMEA Airheads- Instant AP- Instant AP Best Practice Configuration
Aruba, a Hewlett Packard Enterprise company
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...
Abilash Soundararajan
 
Outdoor Point-to-Point Deployments
Outdoor Point-to-Point DeploymentsOutdoor Point-to-Point Deployments
Outdoor Point-to-Point Deployments
Aruba, a Hewlett Packard Enterprise company
 
Aruba 802.11n Networks Validated Reference Design
Aruba 802.11n Networks Validated Reference DesignAruba 802.11n Networks Validated Reference Design
Aruba 802.11n Networks Validated Reference Design
Aruba, a Hewlett Packard Enterprise company
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
 
Apple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass GuestApple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass Guest
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOS
 
EMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.xEMEA Airheads How licensing works in Aruba OS 8.x
EMEA Airheads How licensing works in Aruba OS 8.x
 
3 aruba arm and cm
3 aruba arm and cm3 aruba arm and cm
3 aruba arm and cm
 
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf ItalyWi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
Wi-Fi Behavior of Popular Mobile Devices #AirheadsConf Italy
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP Deployment
 
Aruba Remote Access Point (RAP) Networks Validated Reference Design
Aruba Remote Access Point (RAP) Networks Validated Reference DesignAruba Remote Access Point (RAP) Networks Validated Reference Design
Aruba Remote Access Point (RAP) Networks Validated Reference Design
 
EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2 EMEA Airheads - What does AirMatch do differently?v2
EMEA Airheads - What does AirMatch do differently?v2
 
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation GuideAruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation Guide
 
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
Best practices in deploying and managing aruba bluetooth low energy (ble) bea...
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba CentralAirheads Tech Talks: Cloud Guest SSID on Aruba Central
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
 
Base Designs Lab Setup for Validated Reference Design
Base Designs Lab Setup for Validated Reference DesignBase Designs Lab Setup for Validated Reference Design
Base Designs Lab Setup for Validated Reference Design
 
EMEA Airheads- Instant AP traffic optimization
EMEA Airheads- Instant AP traffic optimizationEMEA Airheads- Instant AP traffic optimization
EMEA Airheads- Instant AP traffic optimization
 
EMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba CentralEMEA Airheads_ Advance Aruba Central
EMEA Airheads_ Advance Aruba Central
 
EMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performanceEMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performance
 
Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-Fi
 
EMEA Airheads- Instant AP- Instant AP Best Practice Configuration
EMEA Airheads- Instant AP- Instant AP Best Practice ConfigurationEMEA Airheads- Instant AP- Instant AP Best Practice Configuration
EMEA Airheads- Instant AP- Instant AP Best Practice Configuration
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...
 

Destaque

Aruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference DesignsAruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference Designs
Aruba, a Hewlett Packard Enterprise company
 
Voice Support for Fixed Telecommuter Deployments
Voice Support for Fixed Telecommuter DeploymentsVoice Support for Fixed Telecommuter Deployments
Voice Support for Fixed Telecommuter Deployments
Aruba, a Hewlett Packard Enterprise company
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming Devices
Aruba, a Hewlett Packard Enterprise company
 

Destaque (10)

Outdoor Point-to-Point Deployments
Outdoor Point-to-Point DeploymentsOutdoor Point-to-Point Deployments
Outdoor Point-to-Point Deployments
 
Aruba 802.11n Networks Validated Reference Design
Aruba 802.11n Networks Validated Reference DesignAruba 802.11n Networks Validated Reference Design
Aruba 802.11n Networks Validated Reference Design
 
Aruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference DesignsAruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference Designs
 
Voice Support for Fixed Telecommuter Deployments
Voice Support for Fixed Telecommuter DeploymentsVoice Support for Fixed Telecommuter Deployments
Voice Support for Fixed Telecommuter Deployments
 
Lync over Aruba Wi-Fi Validated Reference Design Guide
Lync over Aruba Wi-Fi Validated Reference Design GuideLync over Aruba Wi-Fi Validated Reference Design Guide
Lync over Aruba Wi-Fi Validated Reference Design Guide
 
VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31
 
Outdoor MIMO Wireless Networks
Outdoor MIMO Wireless NetworksOutdoor MIMO Wireless Networks
Outdoor MIMO Wireless Networks
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
 
RAP Networks Validated Reference Design
RAP Networks Validated Reference DesignRAP Networks Validated Reference Design
RAP Networks Validated Reference Design
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming Devices
 

Semelhante a ArubaOS DHCP Fingerprinting

Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Aruba, a Hewlett Packard Enterprise company
 
asdasdsadsadasdasdaddasdasdasdasdweqweqewqe
asdasdsadsadasdasdaddasdasdasdasdweqweqewqeasdasdsadsadasdasdaddasdasdasdasdweqweqewqe
asdasdsadsadasdasdaddasdasdasdasdweqweqewqe
almondzzzz938
 
M controller vrdv10
M controller vrdv10M controller vrdv10
M controller vrdv10
Minh Hoàng
 
Reduce refresh costs and gain more beyond security!
Reduce refresh costs and gain more beyond security!Reduce refresh costs and gain more beyond security!
Reduce refresh costs and gain more beyond security!
Salient Networks Limited
 
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
NetsysBilisim
 

Semelhante a ArubaOS DHCP Fingerprinting (20)

Amigopod and ArubaOS Integration
Amigopod and ArubaOS IntegrationAmigopod and ArubaOS Integration
Amigopod and ArubaOS Integration
 
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access SwitchVoice over IP (VoIP) Deployment with Aruba Mobility Access Switch
Voice over IP (VoIP) Deployment with Aruba Mobility Access Switch
 
Virtual Branch Networks
Virtual Branch NetworksVirtual Branch Networks
Virtual Branch Networks
 
Indoor80211n Aruba Wifi
Indoor80211n Aruba Wifi Indoor80211n Aruba Wifi
Indoor80211n Aruba Wifi
 
Airwaveand arubabestpracticesguide
Airwaveand arubabestpracticesguideAirwaveand arubabestpracticesguide
Airwaveand arubabestpracticesguide
 
Air group tb 080112_final
Air group tb 080112_finalAir group tb 080112_final
Air group tb 080112_final
 
Aruba Campus Wireless Networks
Aruba Campus Wireless NetworksAruba Campus Wireless Networks
Aruba Campus Wireless Networks
 
asdasdsadsadasdasdaddasdasdasdasdweqweqewqe
asdasdsadsadasdasdaddasdasdasdasdweqweqewqeasdasdsadsadasdasdaddasdasdasdasdweqweqewqe
asdasdsadsadasdasdaddasdasdasdasdweqweqewqe
 
aruba network
aruba networkaruba network
aruba network
 
Campus Redundancy Models
Campus Redundancy ModelsCampus Redundancy Models
Campus Redundancy Models
 
M controller vrdv10
M controller vrdv10M controller vrdv10
M controller vrdv10
 
Campus Network Design version 8
Campus Network Design version 8Campus Network Design version 8
Campus Network Design version 8
 
Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)
 
Wp passpoint wi-fi
Wp passpoint wi-fiWp passpoint wi-fi
Wp passpoint wi-fi
 
Reduce refresh costs and gain more beyond security!
Reduce refresh costs and gain more beyond security!Reduce refresh costs and gain more beyond security!
Reduce refresh costs and gain more beyond security!
 
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
802.11Ac-icin-Rf-ve-Roaming-Optimizasyonu-Onerileri-.pdf
 
5G-Functional-Splits-V3-Feb2021.pdf
5G-Functional-Splits-V3-Feb2021.pdf5G-Functional-Splits-V3-Feb2021.pdf
5G-Functional-Splits-V3-Feb2021.pdf
 
Migrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensenMigrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensen
 
Aruba 650 Hardware and Installation Guide
Aruba 650 Hardware and Installation GuideAruba 650 Hardware and Installation Guide
Aruba 650 Hardware and Installation Guide
 
Aruba OS 6.4 Command Line Interface Reference Guide
Aruba OS 6.4 Command Line Interface Reference GuideAruba OS 6.4 Command Line Interface Reference Guide
Aruba OS 6.4 Command Line Interface Reference Guide
 

Mais de Aruba, a Hewlett Packard Enterprise company

Mais de Aruba, a Hewlett Packard Enterprise company (20)

Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAirheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.x
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS SwitchEMEA Airheads- Switch stacking_ ArubaOS Switch
EMEA Airheads- Switch stacking_ ArubaOS Switch
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchEMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
 
Introduction to AirWave 10
Introduction to AirWave 10Introduction to AirWave 10
Introduction to AirWave 10
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchEMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
 
EMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APEMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant AP
 
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.xEMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.xEMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)
 
Airheads Meetups: 8400 Presentation
Airheads Meetups: 8400 PresentationAirheads Meetups: 8400 Presentation
Airheads Meetups: 8400 Presentation
 
Airheads Meetups: Ekahau Presentation
Airheads Meetups: Ekahau PresentationAirheads Meetups: Ekahau Presentation
Airheads Meetups: Ekahau Presentation
 
Airheads Meetups- High density WLAN
Airheads Meetups- High density WLANAirheads Meetups- High density WLAN
Airheads Meetups- High density WLAN
 
Airheads Meetups- Avans Hogeschool goes Aruba
Airheads Meetups- Avans Hogeschool goes ArubaAirheads Meetups- Avans Hogeschool goes Aruba
Airheads Meetups- Avans Hogeschool goes Aruba
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
EMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgradeEMEA Airheads - Multi zone ap and centralized image upgrade
EMEA Airheads - Multi zone ap and centralized image upgrade
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access PointBringing up Aruba Mobility Master, Managed Device & Access Point
Bringing up Aruba Mobility Master, Managed Device & Access Point
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationEMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
 

Último

!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
DUBAI (+971)581248768 BUY ABORTION PILLS IN ABU dhabi...Qatar
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
Workforce Group
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 

Último (20)

Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 

ArubaOS DHCP Fingerprinting

  • 1.                                                                                 ArubaOS DHCP Fingerprinting   Version 1.0
  • 2. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. 2           Copyright   © 2011 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotect®, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba will assume no responsibility for any errors or omissions. Open Source Code   Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (“GPL”), GNU Lesser General Public License (“LGPL”), or other Open Source Licenses. The Open Source code used can be found at this site:   http://www.arubanetworks.com/open_source   Legal Notice   ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WEATHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, ACCURACY AND QUET ENJOYMENT. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF ARUBA EXCEED THE AMOUNTS ACUTALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURSHASED DIRECTLY FROM ARUBA, WHICHEVER IS LESS.     Warning and Disclaimer   This guide is designed to provide information about wireless networking, which includes Aruba Network products. Though Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, this guide and the information in it is provided on an “as is” basis. Aruba assumes no liability or responsibility for any errors or omissions. ARUBA DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, ACCURACY, AND QUIET ENJOYMENT. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF ARUBA EXCEED THE AMOUNTS ACTUALLY PAID TO ARUBA UNDER ANY APPLICABLE WRITTEN AGREEMENT OR FOR ARUBA PRODUCTS OR SERVICES PURCHASED DIRECTLY FROM ARUBA, WHICHEVER IS LESS. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice.                                 www.arubanetworks.com   1344 Crossman Avenue Sunnyvale, California 94089   Phone: 408.227.4500 Fax 408.227.4550
  • 3. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Table of Contents | 3           Table of Contents   Chapter 1: Introduction 4   Reference Material 5   Chapter 2:   Deploying DHCP Fingerprinting   6   Prerequisites 6   Product Availability 7   What is a DHCP Fingerprint? 7   Identifying a DHCP Fingerprint 9   User Role Creation 11   User Role Derivation 15   Chapter 3:   User Role Life Cycle   17   Connecting to the Wireless Network 17   802.1X Authentication 18   DHCP Exchange 19   Validating DHCP-Derived User Roles 19   Conclusion 20   Appendix A:   Validated DHCP Fingerprint   21   Appendix B:   Contacting Aruba Networks   22   Contacting Aruba Networks 22
  • 4. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Introduction | 4           Chapter 1: Introduction       The explosive growth of mobile devices has challenged the network IT staff because mobile devices lack the option to connect using Ethernet, which is the dominant wired access technology. Leading industry analyst forecasts predict that by 2015 only 15% of the devices will have built-in Ethernet capability, as shown in Growth of mobile devices . As more of these devices connect using the enterprise wireless LAN, network administrators have noted that an employee typically has gone from using a single device to using three or more devices.   As network engineers get ready to support large numbers of smartphones and tablets in addition to laptops and desktops, they are realizing the importance of reliably identifying mobile devices. Gaining visibility into mobile device types is essential for network engineers to build granular access policies to maintain security and quality of service (QoS) for critical enterprise applications. This application note describes one such tool, ArubaOS DHCP Fingerprinting, which empowers the network engineers to reliably identify devices and to build and enforce device-specific policies.   Figure 1 Growth of mobile devices
  • 5. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Introduction | 5           Table 1 lists the current software versions for this guide.   Table 1 Aruba Software Versions   Product Version ArubaOS™ (mobility controllers) 6.1 ArubaOS (mobility access switch) 7.0 Aruba Instant™ 1.1 MeshOS 4.2 AirWave® 7.3 AmigopodOS 3.3     Reference Material    This guide assumes a working knowledge of Aruba products. This guide is based on the network detailed in the Aruba Campus Wireless Networks VRD and the Base Designs Lab Setup for Validated Reference Design. These guides are available for free at http://www.arubanetworks.com/vrd.  The complete suite of Aruba technical documentation is available for download from the Aruba support site. These documents present complete, detailed feature and functionality explanations outside the scope of the VRD series. The Aruba support site is located at: https://support.arubanetworks.com/. This site requires a user login and is for current Aruba customers with support contracts.
  • 6. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 6           Chapter 2: Deploying DHCP Fingerprinting       DHCP fingerprinting is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access. Because the system relies on user-defined roles, each organization can develop a system that meets their unique requirements.     Prerequisites   This section describes the prerequisites and dependencies for the ArubaOS DHCP fingerprinting feature.   1. The ArubaOS DHCP fingerprinting feature is available on the mobility controller and mobility access switch platforms running ArubaOS version 6.0.1 or later.   2. The PEFNG license must be present on the platform to assign user roles using the ArubaOS DHCP fingerprinting feature.   3. Clients must be set up to request IP addresses automatically using DHCP.   4. The controller must be in the data path of DHCP exchange, but it does not have to be the DHCP server.   5. There are additional requirements based on the forwarding mode of the AP. Table 2 lists the forwarding mode and platform dependencies.   Table 2 DHCP Fingerprinting Availability by Forwarding Mode and Platform   Platform Forwarding Mode DHCP Fingerprinting Available Campus and remote AP Tunnel mode Yes Campus and remote AP Bridge mode No Campus and remote AP Decrypt-tunnel mode Yes Remote AP Split-tunnel mode Yes. Limited to VLANs that are tunneled to the controller. Mobility access switch Tunneled node Yes
  • 7. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 7           Product Availability   Table 3 describes the DHCP fingerprint availability by platform.   Table 3 Product Availability   Platforms DHCP Fingerprinting Available Mobility Controller – 600, 3000, and M3 Series platforms Yes All Mobility Access Switch platforms Yes. Limited to VLANs that are tunneled to the controller All Instant AP platforms No     What is a DHCP Fingerprint?   DHCP is a client/server protocol. As shown in Figure 2, the DHCP client exchanges a series of packets with the DHCP server to obtain a unique IP address and other important networking information, such as the default gateway and DNS server.       Figure 2 DHCP protocol exchange   However, the DHCP protocol is not limited to obtaining basic IP networking information. It includes the flexibility to exchange vendor-specific information about the hardware or operating system of the device. This exchange is done by using DHCP options as defined by RFC 2132 (http://www.ietf.org/rfc/ rfc2132.txt). Use of DHCP options is vendor-, device-, and OS-dependent, which creates significant differences in the DHCP packets generated by various devices and thus constitutes a DHCP
  • 8. Arub.OS DHCP Fingerprin'"g Applia tion Note ArubaNetworl<s,Inc. Deplo)ingDHCPFingerprinting 1 8     ........ ........ ·- t·-·l••l·-·1---13 I ........       "fingerprint" Figure 3 is an example of the options included in aDHCP DISCOVER message by an Apple iPad device.   oo Ineernee Proeocol , src: 0.0.0.0(0.0.0.0), Dse: 255.255.255.255(255.255.255.255) oo user Daeagram Proeocol , src Pore: booepc(68 , Dse Pore: booeps(67) B Booeserap Proeocol Message eype: Booe Requese (1) Hardware eype: Eehernee Hardware address lengeh: 6 Hops: 0 Transaceion ID: Oxd94e2ba0 seconds elapsed: 1 oo Booep flags: OxOOOO(unicase) cl iene IP address: 0.0.0.0(0.0.0.0) Your(cl iene) IP address: 0.0.0.0(0.0.0.0) Nexe server IP address: 0.0.0.0(0.0.0.0) Relay agene IP address: 0.0.0.0(0.0.0.0) cl iene MAC address: Apple_1b:40:31(a4:d1:d2:1b:40:31) cl iene hardware address padding: 00000000000000000000 server hose name noe gi ven Booe fi le name noe gi ven Magic cookie: DHCP oo Opeion: (e=53,1=1)DHCP Message Type = DHCP Discover B Opeion: (e=55,1=6)Parameeer Requese Lise Opeion: (55)Parameeer Requese Lise Lengeh: 6 value: 0103060f77fc 1 subnec Mask 3 = Roueer 6 = Domain Name server 15 = Domain Name 119 = Domain search [TODO:RFC3397] 252 = Pri vaee/Proxy aueodiscovery oo Opeion: (e=57,1=2)Maxi mum DHCP Message size = 1500 oo Opeion: (e=61,1=7)cl iene ideneifier oo Opeion: (e=51,1=4) IP Address Lease Ti me = 90 days oo opeion: (e=12,1=5)Hose Name = "i pad2" End Opeion Padding     uucu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu ........ ........ OOdO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 OOeO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OOfO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0120 0130 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 ........ c.sc5..tlj 39 02 05 de 3d 07 01 a4 0 0 - . 0 0 0 0140 d2 1 40 31 33 04 00 76 a7 00 Oc 05 69 70 61 64 ....i pad 0150 32 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0160 00 00 00 00 00 00 00 00 00 00 00 00   Figure3 Optionsin a DHCP DISCOVER message
  • 9. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 9     arun_0485       The ArubaOS DHCP fingerprinting feature instructs the stateful firewall to inspect the DHCP packet exchange and identify the device or OS type. Firewall rules can then be used to derive roles for the specific device or OS type.     Identifying a DHCP Fingerprint     DHCP DNS         Mobility controller Mail Directory                     Air monitor           Client Client   Figure 4 Network diagram with an ArubaOS controller in the DHCP data path   ArubaOS DHCP fingerprinting relies on the stateful inspection of DHCP packet exchange, so it is required that the Aruba Mobility Controller is in the data path of the DHCP exchange. However, the mobility controller is not required to be the DHCP server. ArubaOS stateful firewall logs the DHCP options in the DHCP packets along with the MAC address of the client. To begin the process of examining a DHCP fingerprint, some debugging commands need to be set to make the packets visible. This process can be done either from the web interface or the CLI. We are looking for a value that is unique to a class of device. In cases where more than one DHCP fingerprint is found, any can be used. Typical values of DHCP options are hex: 0c, 37, 3c, or 51. These values correspond to DHCP option numbers: 12, 55, 60, or 81. The goal is to find a value that is unique to that device.   If multiple clients are connecting at the same time, be sure to select the DHCP signature that matches the test device MAC address. Log messages can also be restricted to show output that matches the specific MAC address of the test device. It is a best practice to validate the DHCP signatures using several devices of same type. For a list of validated DHCP signatures developed by the Aruba QA team, see Appendix A: Validated DHCP Fingerprint on page 21.
  • 10. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 10           Using the WebUI   1. Set the logging level for dhcp sub-category to level debugging. Navigate to Configuration Management  Logging Levels. 2. Navigate to Monitoring  Debug  Process Logs. 3. From the right-side frame, select the Search function and select Filter Criteria: Include and String: Options. Click Display. The logs automatically refresh.     Figure 5 Filter options   4. Ensure that the wireless client is set up for DHCP and connect to the wireless network. 5. Watch the filtered logs section for matching log messages. When the client sends out the DHCP DISCOVER or REQUEST packet, a log message that contains the DHCP option is generated. Figure 6 shows a log message from an Apple iPad device with MAC address a4:d1:d2:1b:40:31.                 Figure 6 Using WebUI log filtering to identify a DHCP fingerprint   The numerals displayed in the log message correspond to DHCP option 55 (37 in hex notation). In hexadecimal notation, option code 37 is followed by its operand values. The combined string forms the DHCP fingerprint 370103060F77FC.   Using the CLI   1. Ensure that the wireless client is set up for DHCP and connect to the wireless network. Note the wireless client MAC address. From the CLI, enter the “config terminal” context and enable logging level debug for DHCP.   (config)# logging level debugging network 2. Issue the CLI command to show log entries that match the MAC address of the client device being fingerprinted.   (config)#show log network all | include Options
  • 11. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 11           3. Watch the filtered log messages for DHCP options. The output in Figure 7 is for an Apple iPad device with MAC address a4:d1:d2:1b:40:31.   (LC1-Sunnyvale-6000) (config) #show log all | include Options Sep 7 11:38:08 dhcpdwrap[1829]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan900: REQUEST a4:d1:d2:1b:40:31 reqIP=192.168.200.248 Options 37:0103060f77fc 39:05dc 3d:01a4d1d21b4031 36:c0a8c814 0c:6970616432   Figure 7 Using CLI log filtering to identify a DHCP fingerprint   From the log message output, we find DHCP options 55, 12, 50, and 51 (hex 37, 0C, 32, and 33 respectively). Based on Aruba internal testing, we have found that reliable DHCP signatures include DHCP options 12, 55, 60, and 81. We can use any of these options to build a DHCP signature. For example, if we select the option 55 (hex 37), to create a DHCP fingerprint, drop the colon (”:”) and include all the hex numerals before and after the colon. The DHCP fingerprint for device with MAC a4:d1:d2:1b:40:31 is 370103060F77FC.     User Role Creation   In an Aruba user-centric network, every device is associated with a user role based on login credentials, among other things. This same concept is extended to derive roles based on device type. For detailed configuration steps for roles and policies, refer to ArubaOS 6.1 User Guide, Chapter 12.   In our example, an enterprise has a mobile device access policy for two popular mobile device platforms, Apple iOS and Android, as shown in Table 4. Each class of device has a desired policy as determined by the organization. These policies are implemented by defining rules and applying them to the appropriate device-specific user role.   Table 4 Sample Mobile Device Access Policy for Android and iOS Devices   Mobile Device Platform Enterprise Access Policy Apple iOS Allow access to the corporate internal network via https only. Allow full access to the Internet. Android Deny all access to the corporate internal network. Allow full access to the Internet.   When devices connect to the WLAN network, they require a minimum set of services such as access to DHCP and DNS services. These services are defined in the Common-Policy and they are common to Apple iOS and Android device roles. Android devices are blocked from accessing the corporate internal network, while Apple iOS devices are allowed access to the internal network only through https. This permission is implemented in the block-internal-access and allow-corporate-https policies respectively. Finally, full access to the Internet is achieved by adding the allow-all policy as the last policy in the role.
  • 12. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 12           Configuration for Common Policies Shared by Android and iOS Devices   ip access-list session common user any udp 68 deny any any svc-dhcp permit any any svc-icmp permit user alias dns-servers svc-dns permit   Figure 8 Common policies shared by Android devices   Next we will configure the access to internal resources, which will be used for the allow policy for iOS and for the deny policy for Android. For this setup, we will create a network destination alias. Netdestinations allow you to specify blocks of addresses and later make changes to those blocks without rewriting firewall policy.
  • 13. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 13           Internal Corporate Network Destinations   netdestination Internal-Network network 10.0.0.0 255.0.0.0 network 172.16.0.0 255.255.0.0 network 192.168.0.0 255.255.0.0   Figure 9 Internal corporate network destinations   Next we will create two policies, one that allows corporate resources to be accessed via HTTPS, and one that denies all access to those same resources. First we will configure the iOS policy, then the Android policy.   Configuration for the iOS allow-corporate-https Policy   ip access-list session allow-corporate-https user alias Internal-Network svc-https permit user alias Internal-Network any deny     Figure 10 Configuration for the iOS allow-corporate-https policy
  • 14. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 14           Configuration for iOS Device Role   user-role iOS-Device-Role access-list session common access-list session allow-corporate-https access-list session allowall     Figure 11 Policies for iOS device role   Policies for Android Devices   user-role Android-Device-Role access-list session common access-list session block-internal-access access-list session allowall     Figure 12 Policies for Android devices
  • 15. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 15           User Role Derivation   After a DHCP fingerprint has been identified and the device-specific roles have been created, we can now configure the policy for the devices. To get the correct policy assigned, we use “user rules” to change the devices role. Roles that are derived using DHCP fingerprinting take precedence over those derived using other methods, such as server-derived roles or roles derived using an Aruba vendor- specific attribute (VSA). This precedence means that roles derived by the DHCP fingerprint feature prevail even if the RADIUS server is set up to return a role attribute that is different. This functionality allows users to log into a device such as a laptop and receive a normal role via RADIUS, and then use the same credentials on an iPad and receive a different device role. Roles are derived based on information learned from DHCP exchange, so devices receive this role after successful 802.11 association and Layer 2 authentication. For this reason, a role derived using DHCP fingerprinting is referred as the post-authentication role. It is important to note that while several ways are available for deriving a role in ArubaOS, DHCP fingerprinting is different from all of them. DHCP fingerprinting operates on attributes that become available after a successful authentication, which extends the role-derivation capability in a powerful way.           N O T E DHCP fingerprinting is classified as one of the methods under the user-derived role framework. However, it differs from other methods in an important respect. DHCP fingerprinting has higher precedence than all other role-derivation methods.     To derive device-specific roles from the WebUI and the CLI, follow these steps.   Using the WebUI   1. Navigate to Configuration  Security  Authentication. 2. Click User Rules. Click Add to add a user-derived rule. 3. Choose a name for the user-derived rule. See example byod-rules. 4. Click Add to add a new rule set. The screen in Figure 13 is displayed.   Figure 13 Adding rules to derive roles using DHCP Option from WebUI   5. For Set Type, choose Role to derive roles. 6. For Rule Type, choose DHCP-Option.
  • 16. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Deploying DHCP Fingerprinting | 16           7. For Condition, choose equals. This rule is set up especially to match DHCP option and its operand values in hex, so equals and starts-with are the only allowed conditions. 8. In the Value field, copy and paste the DHCP fingerprint. Ensure that no colon characters or extra whitespace are included and that only the hex numerals are included. 9. For Roles, choose the device-specific role that was created earlier.   Using the CLI   From the CLI, enter the “config terminal” context and issue the following commands: aaa derivation-rules user byod-rules set role condition dhcp-option equals "3C64686370636420342E302E3135" set-value Android-Device- Role description "Android devices" set role condition dhcp-option equals "370103060F77FC" set-value iOS-Device-Role description "iOS devices"
  • 17. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 17           Chapter 3: User Role Life Cycle       ArubaOS DHCP fingerprinting provides an easy method to distinguish a user connected on corporate- issued laptop vs. another mobile device. When the corporate user connects to the Aruba system using the corporate laptop and the personal device, they receive different user roles. In this section, we follow the clients through various connectivity states, highlight the relevant configuration profiles, and describe how they influence the selection of user roles.     Connecting to the Wireless Network   When users scan the available wireless networks, they see the SSID that is defined in the SSID profile “corp-employee”. This SSID requires 802.1X authentication. This profile is configured in the Wireless LAN  Virtual AP context.     Figure 14 SSID profile for the Corp-Employee wireless network
  • 18. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 18           In a typical enterprise, PEAP with MSCHAPv2 is a popular choice for 802.1X authentication. Users must login with their corporate credentials and passwords. This process is routine on the laptops. The process is similar on mobile devices. Users are now authenticated to the network based on their unique user credentials. The authentication process uses the AAA profile defined in the virtual AP profile as seen in Figure 15.                                                             Figure 15 AAA profile for corp-employee virtual AP profile     802.1X Authentication   The mobile device and laptop complete the 802.1X authentication and four-way handshake and derive the unique Pairwise Master Key (PMK) that is used to secure all further data transactions. Based on the AAA profile “corp-employee”, we see that both clients initially get the “logon” role as defined by the initial role setting. However this role is transient and clients soon migrate to new roles based on the user derivation rules, which are linked to the same AAA profile as shown in Figure 16.                             Figure 16 Initial role and user derivation rules in the AAA corp-employee profile
  • 19. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 19           DHCP Exchange   At this point, the previously constructed user rule “byod-rules” comes into play. Specifically, when the clients are evaluated against this rule set, the Apple iPad matches the second rule and the corporate Windows laptop does not yield a match. As per our rule definition, the Apple iPad progresses to receive the “iOS-Device-Role”, and the corporate Windows laptop receives the “802.1X Authentication Default” role “employee” as defined by the AAA profile “corp-employee” shown in Figure 16 and Figure 17.   Figure 17 Rule set to derive device-specific roles     Validating DHCP-Derived User Roles   To view the client statistics, navigate to the controller Monitoring  Clients as seen in Figure 18. Verify that devices have been correctly detected and assigned appropriate roles. It is also interesting to note the Device Type column. Here Windows corporate laptops are identified by operating system type even though no DHCP fingerprint has been defined for the Windows corporate laptops.   This operating system identification is a result of a separate but related feature mechanism to detect device types. It operates by parsing the user-agent string (also known as the browser ID) in HTTP packets. This parsing is enabled by the Device Type Classification checkbox in the AAA profile. This feature is enabled by default. The user-agent string can be changed easily by misbehaving applications or intentional user action, which makes them less than reliable for user derivation roles.                     Figure 18 Monitor clients and verify the user roles from the WebUI
  • 20. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. User Role Life Cycle | 20           Conclusion   Enterprises and employees are rapidly adopting next-generation smartphones and tablet devices. Wireless is the only way to connect these devices to the network and WLAN is the primary method of connecting to an enterprise network. IT staff require tools that enable them to control the network usage, applications, content, and bandwidth and gain greater visibility into the user and type of devices. ArubaOS delivers a powerful new tool, DHCP fingerprinting, which enables IT staff to create and enforce granular policies per device, per application, and per user. This added functionality is made possible using the same Aruba WLAN infrastructure without adding additional appliances or re- architecting the network.
  • 21. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Validated DHCP Fingerprint | 21           Appendix A: Validated DHCP Fingerprint       These device fingerprints must be used with an exact-match rule in ArubaOS.   Device DHCP Option DHCP Fingerprint Apple iOS Option 55 370103060F77FC Android Option 60 3C64686370636420342E302E3135 Blackberry Option 60 3C426C61636B4265727279 Windows 7/ Vista Desktop Option 55 37010f03062c2e2f1f2179f92b Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX (10.6 and below) Apple Mac OSX (10.7 and above) Option 55 370103060f775ffc2c2e2f 370103060f775ffc2c2e
  • 22. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Contacting Aruba Networks | 22           Appendix B: Contacting Aruba Networks       Contacting Aruba Networks   Web Site Support Main Site http://www.arubanetworks.com Support Site https://support.arubanetworks.com Software Licensing Site https://licensing.arubanetworks.com/login.php Wireless Security Incident Response Team (WSIRT) http://www.arubanetworks.com/support/wsirt.php Support Emails   Americas and APAC support@arubanetworks.com EMEA emea_support@arubanetworks.com WSIRT Email Please email details of any security problem found in an Aruba product. wsirt@arubanetworks.com   Validated Reference Design Contact and User Forum Validated Reference Designs http://www.arubanetworks.com/vrd VRD Contact Email referencedesign@arubanetworks.com AirHeads Online User Forum http://airheads.arubanetworks.com   Telephone Support Aruba Corporate +1 (408) 227-4500 FAX +1 (408) 227-4550 Support  United States +1-800-WI-FI-LAN (800-943-4526)  Universal Free Phone Service Numbers (UIFN):  Australia   Reach: 1300 4 ARUBA (27822)  United States 1 800 9434526 1 650 3856589  Canada 1 800 9434526 1 650 3856589  United Kingdom BT: 0 825 494 34526 MCL: 0 825 494 34526
  • 23. ArubaOS DHCP Fingerprinting Application Note Aruba Networks, Inc. Contacting Aruba Networks | 23             Telephone Support  Universal Free Phone Service Numbers (UIFN):  Japan   IDC: 10 810 494 34526 * Select fixed phones IDC: 0061 010 812 494 34526 * Any fixed, mobile & payphone KDD: 10 813 494 34526 * Select fixed phones JT: 10 815 494 34526 * Select fixed phones JT: 0041 010 816 494 34526 * Any fixed, mobile & payphone  Korea   DACOM: 2 819 494 34526 KT: 1 820 494 34526 ONSE: 8 821 494 34526  Singapore   Singapore Telecom: 1 822 494 34526  Taiwan  (U)   CHT-I: 0 824 494 34526  Belgium   Belgacom: 0 827 494 34526  Israel   Bezeq: 14 807 494 34526 Barack ITC: 13 808 494 34526  Ireland   EIRCOM: 0 806 494 34526  Hong  Kong   HKTI: 1 805 494 34526  Germany   Deutsche Telkom: 0 804 494 34526  France   France Telecom: 0 803 494 34526  China  (P)   China Telecom South: 0 801 494 34526 China Netcom Group: 0 802 494 34526  Saudi  Arabia   800 8445708  UAE   800 04416077  Egypt   2510-0200 8885177267 * within Cairo 02-2510-0200 8885177267 * outside Cairo  India   91 044 66768150