DHCP fingerprinting (available in ArubaOS 220.127.116.11 and above) is a very powerful feature to classify different mobile devices from the particular user.
DHCP Fingerprinting is a means of passively identifying the operating system of a device via option in a DHCP frame.
One use is to differentiate devices that share the same network. For example, if your wireless phones, as well as your laptops both do 802.1x, instead of creating two separate networks for each, you can write a rule looking for that phone’s DHCP option and put it into a role that optimizes VOIP traffic; the laptops will get the default enterprise role. If you have a 802.1x wireless network for your laptops and employees keep connecting to it with their smartphones, you could write a rule that gives smartphone users that connect via AD credentials a different role to keep that traffic separate from employee traffic, but allow them to easily connect to your network without having to type credentials in a tiny captive portal screen time and time again.
This is how you can configure and use DHCP fingerprinting.
First, we have to enable some logging to see the DHCP fingerprint info.
(config) #logging level debugging network subcat dhcp
Now check the log:
# show log network 10
In the log you can see the following output:
<DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:22:fb:23:dc:88 reqIP=10.1.1.118 Options 3d:010022fb23dc88 0c:706273 51:000000706273 3c:4d53465420352e30 37:010f03062c2e2f1f2179f92b
To write the rule, you are looking for an option that has a 0c, 37, 3c or 51 before the colon. In my case, the interesting part is the bold part. This is a Win7 machine.
Now we can write the aaa derivation-rule.
aaa derivation-rules user dhcp-fingerprint-rule
set role condition dhcp-option equals "37010f03062c2e2f1f2179f92b" set-value test description "win7"
set role condition dhcp-option equals "370103060f77fc" set-value guest description "iPad"
Now we have to mount the derivation rule to the aaa profile you want:
aaa profile "company-aaa_prof"