Antonio Perez

User Tools

Site Tools

Trace:
aruba_networks:controller:arubaos_dhcp_fingerprinting

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
aruba_networks:controller:arubaos_dhcp_fingerprinting [2020/09/22 23:21] aperezaruba_networks:controller:arubaos_dhcp_fingerprinting [2020/09/22 23:25] (current) aperez
Line 110: Line 110:
 {{:aruba_networks:controller:fingerprint5.png?600|}} {{:aruba_networks:controller:fingerprint5.png?600|}}
  
 +**Note: When there are multiple rules which a client would matches; the first rule is used to derive role. Hence; the rules must be ordered from most specific to least specific.**
 +
 +If a VLAN is mapped to the ROLE deriver via DHCP-Option; it will not take effect.
 +
 +Below is a table which includes fingerprints for major operating systems.
 +
 +{{:aruba_networks:controller:fingerprint6.png?600|}}
 +
 +
 +----
 +
 +**Sample Scenarios**
 +
 +**GIVE SPECIAL PRIVILEGE TO A SPECIFIC USER**
 +
 +There maybe instances where one specific user / set of users (example :: CEO’s cellphone) must be treated differently.   Option 61 can be used to achieve this. As Option 61 is based on the MAC address; the device can be uniquely identified and placed in a specific role. It must be noted that Option 61 based rule must always be on top of the rule list to ensure it gets hit first.
 +
 +**WINDOWS DEVICES**
 +
 +**Rule for Windows XP, Vista and 7**
 +
 +All three OS versions send MSFT 5.0 for Option 60.
 +
 +DHCP-Option value equal to 3C4D53465420352E30 can be used to classify all three latest Windows Client OS versions (i.e. XP, Vista & 7).
 +
 +**Rule for Windows Vista and 7 alone**
 +
 +DHCP-Option value equal to 37010f03062c2e2f1f2179f92b can be used to classify Windows Vista & 7 OS devices.
 +All Windows Devices from Windows 95
 +
 +A starts-with “37010f03062c2e2f" rule can be used to classify all Windows Client OS devices from Windows 95 till Windows 7.
 +
 +**APPLE DEVICES**
 +
 +iOS Devices
 +
 +DHCP-Option value equal to  370103060f77fc can be used to classify iOS devices
 +
 +**All Apple Devices**
 +
 +A rule with DHCP-Option value starts with 370103060f77 can be used to classify all iOS and Mac OS X devices.
 + 
 +There can be two cases a) Clients hitting the wrong rule b) Client not hitting the rule.
 +
 +For the case client hitting the wrong rule; ensure the rules ordered from most specific rule to least specific. This would ensure the client hits the right rule i.e. first match.
 +
 +For the case of client not hitting the rule; we would need to validate if the DHC-Option value used in configuration is right.
 +
 +With logging level set to debug for User category; Instant would be able to the DHCP fingerprint and role derivation information.
 +
 +To enable debugging; navigate to Settings --> Show Advanced Options --> Syslog --> User --> Debug.
 +
 +{{:aruba_networks:controller:fingerprint7.png?600|}}
 +
 +With debugging enabled; the required information is available under “AP Log User” option under Support tab.  
 +
 +Optionally; the output can be filtered using “DHCP”. Below example shows role derivation for a client which matched “Win7” rule.
 +
 +{{:aruba_networks:controller:fingerprint8.png?600|}}
 + 
  
  
aruba_networks/controller/arubaos_dhcp_fingerprinting.1600834889.txt.gz · Last modified: 2020/09/22 23:21 by aperez
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki