PBSPlaza.nl

DHCP fingerprinting (available in ArubaOS 6.0.1.0 and above) is a very powerful feature to classify different mobile devices from the particular user.

DHCP Fingerprinting is a means of passively identifying the operating system of a device via option in a DHCP frame.

One use is to differentiate devices that share the same network. For example, if your wireless phones, as well as your laptops both do 802.1x, instead of creating two separate networks for each, you can write a rule looking for that phone’s DHCP option and put it into a role that optimizes VOIP traffic; the laptops will get the default enterprise role. If you have a 802.1x wireless network for your laptops and employees keep connecting to it with their smartphones, you could write a rule that gives smartphone users that connect via AD credentials a different role to keep that traffic separate from employee traffic, but allow them to easily connect to your network without having to type credentials in a tiny captive portal screen time and time again.

This is how you can configure and use DHCP fingerprinting.

First, we have to enable some logging to see the DHCP fingerprint info.

(config) #logging level debugging network subcat dhcp

Now check the log:

# show log network 10

In the log you can see the following output:

<DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:22:fb:23:dc:88 reqIP=10.1.1.118 Options 3d:010022fb23dc88 0c:706273 51:000000706273 3c:4d53465420352e30 37:010f03062c2e2f1f2179f92b

To write the rule, you are looking for an option that has a 0c, 37, 3c or 51 before the colon. In my case, the interesting part is the bold part. This is a Win7 machine.

Now we can write the aaa derivation-rule.

aaa derivation-rules user dhcp-fingerprint-rule
  set role condition dhcp-option equals "37010f03062c2e2f1f2179f92b" set-value test description "win7"
  set role condition dhcp-option equals "370103060f77fc" set-value guest description "iPad"

Now we have to mount the derivation rule to the aaa profile you want:

aaa profile "company-aaa_prof"
   user-derivation-rules "dhcp-fingerprint-rule"

The original post from the Airheads forum can be found here.
Another post with some fingerprint examples can be found here.

While i am working with the Aruba Networks Mobility Controller, i have collected some useful commands which can be used in daily operating the controller. The following commands can be used with Aruba OS 5.0.

The list will be expanded in the future.

LICENSING COMMANDS

#show license
#show license limit

USER COMMANDS

#show user – displays the users which are currently connected to the MC.
#aaa user clear-sessions [A.B.C.D.] – This command clears ongoing sessions for the specified client.
#aaa user delete [A.B.C.D.] – This command deletes clients, users, or roles.

ACL COMMANDS

#show acl hits role [STRING] – Show internal ACL hit counters.
#show acl hits

LOG COMMANDS

#show log security 20 – displays the last 20 rules of the security log buffer. Useful when you are suspecting a problem with an AAA profile.

These days i was busy with configuring a remote networking concept which was build with an Aruba Mobility Controller (MC) 3200. This is done in conjunction with RAP2WG remote access-points. This is a basic configuration of the Aruba RAP deployment.

As the procedure to setup the controller can be a little confusing, i decided to post the procedure on my weblog.

In short the following steps need to be done te get the RN setup working (basics);

1. configure the controller basics, e.g. IP address, vlans, trunks, etc.
2. define the aaa profile
3. define the ssid profile
4. define the virtual access-point profile (VAP)
5. define VPN settings
6. define provision profile
7. define AP group
8. whitelist the RAP’s
9. open firewall ports
10. provision the RAP’s (“zero touch”)

Well, let’s start with step 1: define the aaa profile. Al these things can be done through the GUI or the CLI of the MC. If you want, you can alter some settings if you want.

step 1: configure the controller basics such as IP address, gateway, vlans, etc.

A part of this step can be done by the initial configuration dialog which is showing up as you first boot the MC. Some others need to be done afterwards. I configured a vlan (11) in a DMZ zone of a firewall, and a vlan (60) where the wireless clients will be in. I use port Gi1/0 as a trunk to the coreswitch with only the vlans 11 and 60 allowed. I have created a loopback interface for the RAP’s to connect to.

This all is done by the following config;

hostname "Aruba3200"
clock timezone GMT 1
 

interface loopback
        ip address 10.1.1.200
!

vlan 11 "dmz"
vlan 60 "wireless-clients"

interface gigabitethernet  1/0
        description "GE1/0"
        trusted
        switchport mode trunk
        switchport trunk allowed vlan 11,60

interface vlan 1
        ip address 172.16.0.254 255.255.255.0
!

interface vlan 11
        ip address 10.1.1.199 255.255.255.0
!

ip default-gateway 10.1.1.1

step 2: defining aaa profile

aaa profile "wifi-aaa-profile"
   authentication-dot1x "default"

step 3: define the ssid profile

I used WPA for encryption, but you can use the one you like.

wlan ssid-profile "wifi-ssid-profile"
   essid "justforfun"
   opmode wpa-psk-tkip
   wpa-passphrase *****

step 4: define the virtual access-point profile (VAP)

Bind the aaa and ssid profiles together in the VAP profile and define the vlan.

wlan virtual-ap "my-vap-profile"
   ssid-profile "wifi-ssid-profile"
   vlan 60
   aaa-profile "wifi-aaa-profile"

step 5: define the VPN settings for the RAP2WG’s (GUI)

The 3DES policy (priority 5 in this example) need to be added for the RAP2WG’s

A IP address pool need to be defined for the RAP2WG’s. These addresses need to be unique in the routing domain.

ip local pool "albron-aps" 10.10.10.1 10.10.10.10
vpdn group l2tp
  ppp authentication PAP

step 6: define provisioning profile

ap provisioning-profile "my-provisioning-profile"
   remote-ap
   master "x.x.x.x" #public IP of the controller, or the NAT address of the firewall

step 7: define the AP group

In the AP group, the vap profile and the provisioning profile comes together.

ap-group "MyAPGroup"
   virtual-ap "my-vap-profile"
   provisioning-profile "my-provisioning-profile"

step 8: whitelist the RAP’s

The new RAP’s need to be whitelisted (mac addresses) to be accepted by the MC. This can be done in the following part of the GUI. In this part, the RAP’s will be associated with the AP group “MyAPGroup”.

step 9: open firewall ports

Seen from the Internet, you only have to open port udp/4500 (IPSec NAT-T) to the MC.

step 10: provision the RAP

The final step is to provide the RAP with information; the IP address where the MC can be reached. This can be done by connecting a wired PC to E1 of the RAP2WG and port E0 to a regular Internet connection (modem or router). Now, as the RAP2WG has boot up (couple of minutes), open a browser on the wired PC and type in any URL. Now the RAP configuration screen shows up, and the IP address of the mobility controller has to be entered.

When this is done, the RAP2WG is connecting to the mobility controller and registers with it. After a couple of minutes, the RAP has rebooted again and is publishing the configured ESSID.