This guide focuses on configuration of DHCP fingerprinting, which is used in conjunction with user roles on the Aruba Mobility Controller. When a user authenticates, their device type is taken into account. Based on that device type, a new role can be assigned to the device, such as restricting access to certain protocols or completely blocking access.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This Solution Guide describes best practices for implementing an Aruba 802.11 wireless network that supports thousands of highly mobile devices (HMDs) such as Wi-Fi phones, handheld scanning terminals, voice badges, and computers mounted to vehicles. It describes the design principles particular to keeping devices that are in constant motion connected to the network as well as best practices for configuring Aruba Networks controllers and the mobile devices. The comprehensive guide addresses six areas of network planning to ensure a high quality of service for roaming data and voice sessions: device configuration, airtime optimization, roaming optimization, IP mobility configuration, IP multicast configuration, and interference resistance. A detailed troubleshooting section covers common issues that arise with these types of WLANs.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
Clustering is a new feature introduced in AOS 8.0 that enables seamless roaming of clients between APs, hitless client failover and load balancing of users across Mobility Controllers in the cluster. This solution provides the configuration required to create a cluster of Mobility Controllers that are managed by the same Mobility Master.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Airheads-Tech-Talks-Advanced-Clustering-in-AOS-8-x/td-p/506441
ClearPass OnGuard agents perform endpoint posture assessment and ensure that compliance is met before granting access to the network. This session will cover the ClearPass OnGuard Agent components and work-flow in detail.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Security/Airheads-Tech-Talks-Understanding-ClearPass-OnGuard-Agents/td-p/524288
For WLANs to be able to reliably support mission-critical, high-throughput, or time-sensitive applications, RF interference must be continuously monitored. The WLAN must automatically and dynamically adapt to mitigate the effects of any interference in the environment. WLAN infrastructure has to provide the administrators with real-time, historical, and proactive visibility into the air to diagnose and mitigate interference. In this application note we will look at some of the tools that Aruba offers as a part of its WLAN solution that enable administrators to ensure reliable, high performing RF.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This Solution Guide describes best practices for implementing an Aruba 802.11 wireless network that supports thousands of highly mobile devices (HMDs) such as Wi-Fi phones, handheld scanning terminals, voice badges, and computers mounted to vehicles. It describes the design principles particular to keeping devices that are in constant motion connected to the network as well as best practices for configuring Aruba Networks controllers and the mobile devices. The comprehensive guide addresses six areas of network planning to ensure a high quality of service for roaming data and voice sessions: device configuration, airtime optimization, roaming optimization, IP mobility configuration, IP multicast configuration, and interference resistance. A detailed troubleshooting section covers common issues that arise with these types of WLANs.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
Clustering is a new feature introduced in AOS 8.0 that enables seamless roaming of clients between APs, hitless client failover and load balancing of users across Mobility Controllers in the cluster. This solution provides the configuration required to create a cluster of Mobility Controllers that are managed by the same Mobility Master.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Airheads-Tech-Talks-Advanced-Clustering-in-AOS-8-x/td-p/506441
ClearPass OnGuard agents perform endpoint posture assessment and ensure that compliance is met before granting access to the network. This session will cover the ClearPass OnGuard Agent components and work-flow in detail.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Security/Airheads-Tech-Talks-Understanding-ClearPass-OnGuard-Agents/td-p/524288
For WLANs to be able to reliably support mission-critical, high-throughput, or time-sensitive applications, RF interference must be continuously monitored. The WLAN must automatically and dynamically adapt to mitigate the effects of any interference in the environment. WLAN infrastructure has to provide the administrators with real-time, historical, and proactive visibility into the air to diagnose and mitigate interference. In this application note we will look at some of the tools that Aruba offers as a part of its WLAN solution that enable administrators to ensure reliable, high performing RF.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
In centralized Aruba WLAN deployments, the mobility controller is the heart of the network. The controller operates as a stand-alone master, or in a master-local cluster. Aruba provides several redundancy models for deploying mobility controllers. Each of these options, including the choice to forgo redundancy, must be understood so that the correct choice can be made for each deployment model.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers Aruba Mobility Controllers and is considered part of the foundation guides within the VRD core technologies series. This guide will help you understand the capabilities and options you have when deploying an Aruba Mobility Controller. This guide describes operating modes for the mobility controller, licensing, forwarding modes, logical and physical deployment, redundancy, and how to select the appropriate mobility controller based on scalability requirements. Version 9 includes information on the 7200 series controller.
This presentation will show you how to right size customer networks, take advantage of ARM, Band steering and Client Match. Check out the webinar recording where this presentation was used. https://attendee.gotowebinar.com/recording/4688596131469180162
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
This presentation will offer an overview on what are the frequently occurring 802.1x authentication based issues and how to quickly diagnose/troubleshoot the IAP WLAN network. Check out the webinar recording where this presentation was used. https://attendee.gotowebinar.com/register/5818157412807394306
Neighbor Wi-Fi networks, RF noise sources, misbehaving clients, indoor and outdoor coverage patterns can all impact mobile device performance on wireless networks. Join us in this session to discuss how you can design for RF coverage and capacity in challenging environments, proactively monitor your wireless LAN and put together a process for troubleshooting those toughest connectivity issues.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Aruba Network Rightsizing Best Practices Guide provides an overview of network rightsizing. Network rightsizing is a network capacity planning and cost optimization strategy based on the principle that wired and wireless LANs should be sized and structured to meet current and future demand. After explaining the principles of network rightsizing and how it can benefit your organization, the methodology for analyzing and planning a rightsized network will be discussed. Finally, you will learn how to implement a rightsized yet scalable Aruba 802.11n network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
In this presentation, we will cover the Central platform which provides a standard Web-based interface that allows you to configure and monitor multiple Aruba Instant networks / Switches from anywhere with a connection to the Internet. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Cloud-Managed-Networks/Technical-Webinar-Aruba-Central-with-Instant-AP/td-p/429366
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will cover an overview of ArubaOS 8.x Licensing from Supported/ Unsupported Topology to Server Failover behaviour and license generation and transfer.
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-How-Licensing-works-in/td-p/306162
Virtual Intranet Access (VIA) is part of the Aruba remote access solution that includes remote access points(RAPs), Aruba Instant (IAP),and the Remote Node solution. To address the demands of the current mobile workforce, which requires corporate access from hotspots such as those in airport, hotels, and coffee shops . The Aruba VIA solution is designed to provide secure corporate access to employee laptops and smartphones. This guide will walk through planning and deployment of the VIA solution.
During this webinar, we will discuss how starting from ArubaOS 8.2.0.0, selected APs can run in both controller-based mode and controller-less mode and the implications tied to that. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-AP-Discovery-amp-Deployment-Policy-ArubaOS-8-x/m-p/394540/
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Although Aruba makes it easy to choose the best WLAN architecture to fit your IT and business needs, it's vital to sort through some critical predeployment issues before you get started. Join us to review the latest product and architectural options from Aruba as well as validated WLAN design best practices. This session includes in-depth coverage of Aruba Instant and Aruba Mobility Controllers.
Aruba Central user may need a centralized web-server to host captive portal page for their distributed networks across the globe like coffee shops, restaurant or hotels. Aruba central 2.0 has a new feature called Cloud Guest or Guest Management that allows administrator to create a splash page for guest users using Web server and radius server running in the cloud.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Cloud-Managed-Networks/Airheads-Tech-Talks-Cloud-Guest-SSID-on-Aruba-Central/td-p/524320
In this presentation, we will cover ArubaOS’ AP Fast Failover feature, extended controller capacities, how to configure High Availability and several deployment models. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-ArubaOS-High-availability/td-p/286231
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will run through some Rogue AP troubleshooting scenarios and best practices. The agenda covers Rogue AP Detection, classification techniques and containment, wired containment and wireless containment without Tarpit. Check out the webinar recording where this presentation was used:
http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Technical-Webinar-Recording-Slides-ArubaOS-Rogue-AP/m-p/289230
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Point-to-point (PTP) wireless connections have many use cases including linking buildings on university campus, creating connections between offshore oil rigs, and eliminating the need to pull fiber cable between buildings on opposite sides of a busy road. This guide will help you select the right hardware platform (including both the AOS-based AP-175 and Aruba¹s new AirMesh products; Choose appropriate antennas and accessories; Identify and overcome some of the most common outdoor installation challenges; Set up and configure the Aruba solution.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers indoor 802.11n WLANs and is considered part of the foundation guides within the VRD core technologies series. This guide describes 802.11n, differences in 802.11n vs. 802.11a/b/g functionality, and Aruba-specific technologies and access points (APs) that make 802.11n-based WLANs a viable replacement for wired Ethernet in the majority of deployments.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
In centralized Aruba WLAN deployments, the mobility controller is the heart of the network. The controller operates as a stand-alone master, or in a master-local cluster. Aruba provides several redundancy models for deploying mobility controllers. Each of these options, including the choice to forgo redundancy, must be understood so that the correct choice can be made for each deployment model.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers Aruba Mobility Controllers and is considered part of the foundation guides within the VRD core technologies series. This guide will help you understand the capabilities and options you have when deploying an Aruba Mobility Controller. This guide describes operating modes for the mobility controller, licensing, forwarding modes, logical and physical deployment, redundancy, and how to select the appropriate mobility controller based on scalability requirements. Version 9 includes information on the 7200 series controller.
This presentation will show you how to right size customer networks, take advantage of ARM, Band steering and Client Match. Check out the webinar recording where this presentation was used. https://attendee.gotowebinar.com/recording/4688596131469180162
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
This presentation will offer an overview on what are the frequently occurring 802.1x authentication based issues and how to quickly diagnose/troubleshoot the IAP WLAN network. Check out the webinar recording where this presentation was used. https://attendee.gotowebinar.com/register/5818157412807394306
Neighbor Wi-Fi networks, RF noise sources, misbehaving clients, indoor and outdoor coverage patterns can all impact mobile device performance on wireless networks. Join us in this session to discuss how you can design for RF coverage and capacity in challenging environments, proactively monitor your wireless LAN and put together a process for troubleshooting those toughest connectivity issues.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Aruba Network Rightsizing Best Practices Guide provides an overview of network rightsizing. Network rightsizing is a network capacity planning and cost optimization strategy based on the principle that wired and wireless LANs should be sized and structured to meet current and future demand. After explaining the principles of network rightsizing and how it can benefit your organization, the methodology for analyzing and planning a rightsized network will be discussed. Finally, you will learn how to implement a rightsized yet scalable Aruba 802.11n network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
In this presentation, we will cover the Central platform which provides a standard Web-based interface that allows you to configure and monitor multiple Aruba Instant networks / Switches from anywhere with a connection to the Internet. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Cloud-Managed-Networks/Technical-Webinar-Aruba-Central-with-Instant-AP/td-p/429366
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will cover an overview of ArubaOS 8.x Licensing from Supported/ Unsupported Topology to Server Failover behaviour and license generation and transfer.
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-How-Licensing-works-in/td-p/306162
Virtual Intranet Access (VIA) is part of the Aruba remote access solution that includes remote access points(RAPs), Aruba Instant (IAP),and the Remote Node solution. To address the demands of the current mobile workforce, which requires corporate access from hotspots such as those in airport, hotels, and coffee shops . The Aruba VIA solution is designed to provide secure corporate access to employee laptops and smartphones. This guide will walk through planning and deployment of the VIA solution.
During this webinar, we will discuss how starting from ArubaOS 8.2.0.0, selected APs can run in both controller-based mode and controller-less mode and the implications tied to that. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-AP-Discovery-amp-Deployment-Policy-ArubaOS-8-x/m-p/394540/
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Although Aruba makes it easy to choose the best WLAN architecture to fit your IT and business needs, it's vital to sort through some critical predeployment issues before you get started. Join us to review the latest product and architectural options from Aruba as well as validated WLAN design best practices. This session includes in-depth coverage of Aruba Instant and Aruba Mobility Controllers.
Aruba Central user may need a centralized web-server to host captive portal page for their distributed networks across the globe like coffee shops, restaurant or hotels. Aruba central 2.0 has a new feature called Cloud Guest or Guest Management that allows administrator to create a splash page for guest users using Web server and radius server running in the cloud.
Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Cloud-Managed-Networks/Airheads-Tech-Talks-Cloud-Guest-SSID-on-Aruba-Central/td-p/524320
In this presentation, we will cover ArubaOS’ AP Fast Failover feature, extended controller capacities, how to configure High Availability and several deployment models. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-ArubaOS-High-availability/td-p/286231
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will run through some Rogue AP troubleshooting scenarios and best practices. The agenda covers Rogue AP Detection, classification techniques and containment, wired containment and wireless containment without Tarpit. Check out the webinar recording where this presentation was used:
http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Technical-Webinar-Recording-Slides-ArubaOS-Rogue-AP/m-p/289230
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Point-to-point (PTP) wireless connections have many use cases including linking buildings on university campus, creating connections between offshore oil rigs, and eliminating the need to pull fiber cable between buildings on opposite sides of a busy road. This guide will help you select the right hardware platform (including both the AOS-based AP-175 and Aruba¹s new AirMesh products; Choose appropriate antennas and accessories; Identify and overcome some of the most common outdoor installation challenges; Set up and configure the Aruba solution.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers indoor 802.11n WLANs and is considered part of the foundation guides within the VRD core technologies series. This guide describes 802.11n, differences in 802.11n vs. 802.11a/b/g functionality, and Aruba-specific technologies and access points (APs) that make 802.11n-based WLANs a viable replacement for wired Ethernet in the majority of deployments.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The purpose of this guide is to explain the enhancements in 802.11ac standard and provide guidance towards
migrating to 802.11ac with respect to network design, deployment, and configuration best practices for campus environments like offices, university campus, and dorm environments.
This guide covers the following topics in detail:
- Summary of Recommendations
- 802.11ac Features and Benefits
- 802.11ac Planning and Deployment Guidelines
- Best Practice Recommendations for Deploying 802.11ac WLANs
This guide is intended for those who are willing to learn about the 802.11ac standards and understand the best practices in deploying a high-performing 802.11ac
This guide provides a description of the various bandwidth reservation and quality of service (QoS) options for supporting voice traffic in an Aruba remote access point (RAP) telecommuter deployment scenario. The RAP solution is a key component of the Aruba virtual branch network (VBN) architecture. The Aruba RAP deployment model meets the needs of fixed telecommuter and small branch office deployments while maintaining simplicity and ease of deployment. Aruba RAPs extend the corporate LAN to any remote location by enabling seamless wired or wireless data and voice wherever a user finds an Internet-enabled Ethernet port or 3G cellular connection. RAPs are ideally suited for small remote offices, home offices, telecommuters, mobile executives, and for business continuity applications.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Indoor 802.11n Site Survey and Planning guide covers the design and installation of an Aruba WLAN. It includes information on choosing the right AP, performing a virtual survey, and performing a physical survey. The guide also covers using the Aruba Instant AP for physical site surveys.
This Solution Guide is designed to help customers understand the Aruba system architecture and the individual components needed to deliver reliable, high-capacity outdoor networks using 802.11n and 802.11ac with multiple-in and multiple-out (MIMO) radios.
This guide covers the deployment of Aruba remote access points (RAP) in fixed telecommuter and micro branch office sites, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for remote network deployment and it explains the various configurations needed to implement a secure, high-performance virtual branch office (VBN) solution with Aruba RAPs.
This guide details the advanced guest access features available to organizations through the combination of Aruba’s Amigopod and Mobility Controller solutions. This includes details of workflow management, RADIUS configuration, AAA configuration, and testing of the solution. This guide builds on the network defined in the Campus VRD.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
The Aruba Mobility Access Switch family of products provides various features including voice VLAN, Link Layer Discovery Protocol – Media Endpoint Discovery (LLDP-MED), and Quality of Service (QoS) to enable successful deployment of VoIP in enterprise networks. This application note addresses traditional techniques and introduces new device-aware support to deploy VoIP phones. This document is intended for all system engineers and network administrators who are deploying a VoIP solution in an enterprise network.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This document describes the process for leveraging the ClearPass Guest captive portal to bypass the Captive Network Assistant (web sheet) that is displayed on iOS devices such as iPhone, iPad, and more recently, OS X machines running Lion (10.7) and above.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers the deployment of Aruba remote access points (RAP) in fixed telecommuter and micro branch office sites, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for remote network deployment and it explains the various configurations needed to implement a secure, high-performance virtual branch office (VBN) solution with Aruba RAPs.
The application note focuses on configuration and operation of guest access solutions on ArubaOS. The native guest access solution including configuration of the guest access and guest provisioning profiles, guest administration, and captive portal configuration.
To learn more, visit us at http://www.arubanetworks.com/wlan. Join the discussion at https://community.arubanetworks.com
This guide covers the deployment of Aruba WLAN in a typical campus network, and it is considered part of the base designs guides within the VRD core technologies series. This guide covers the design recommendations for a campus deployment and it explains the various configurations needed to implement the Aruba secure, high-performance, multimedia grade WLAN solution in large campuses.
This lab setup document emulates the recommended campus and remote access point networks discussed in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design. All the screenshots and command-line interface (CLI) configurations in the Aruba Campus Networks Validated Reference Design and the Aruba Remote Access Point (RAP) Networks Validated Reference Design are from this setup.
During this presentation, we will cover a deep dive into Aruba Central and its features. Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Cloud-Managed-Networks/Technical-Webinar-Advance-Aruba-Central/m-p/496064
During this webinar, we will cover AppRF - a suite of application visibility and control features that are part of Aruba's Policy Enforcement Firewall. AppRF is a PEF feature that is designed to give network administrators insight into the applications that are running on their network, and who is using them. Check out the webinar recording where this presentation was used:
https://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Aruba-AppRF-AOS-6-x-amp-8-x/td-p/490800
In this presentation, we will cover how the ArubaOS switch virtualization technologies can deliver high-performance and highly available switching while simplifying management and lowering costs. Check out the webinar recording where this presentation was used: https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Technical-Webinar-Switch-Stacking-ArubaOS-Switch/td-p/471348
In this presentation, we will discuss how IEEE standard 802.3ad and its implications allow third-party devices such as switches, servers, or any other networking device that supports trunking to interoperate with the distributed trunking switches (DTSs) seamlessly. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Technical-Webinar-LACP-and-distributed-LACP-ArubaOS-Switch/td-p/458170
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, e will discuss AirWave 10, a new software build that lets us streamline code, add performance, clustering. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Network-Management/Technical-Webinar-Introduction-to-AirWave-10/td-p/454762
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will discuss how Virtual Switching Framework (VSF) allows supported switches connected to each other through Ethernet connections (copper or fibre) to behave like a single chassis switch. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Controllerless-Networks/Technical-Webinar-Virtual-Switching-Framework-ArubaOS-Switch/td-p/445696
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will discuss how AirGroup configurations have changed to support hierarchical configuration in release 8.2. AirGroup configs will now be profile based and can be applied at any node. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-AirGroup-profiling-changes-across-8-1-amp-8-2/td-p/417153
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will explore the RESTApi as the ClearPass API integrations and further developments are more focused to RESTApi than the other existing API services like xml-rpc, SOAP, etc.Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Security/Technical-Webinar-Getting-Started-with-the-ClearPass-REST-API/td-p/410214
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will discuss the L3 Redundancy Requirement which primarily comes from customers who want to handle the complete Data Center Failure during natural disasters or other catastrophic events. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Layer-3-Redundancy-for-Mobility-Master-ArubaOS/td-p/382029
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will discuss how branch controllers work and run through different deployments examples in 6.x and 8.x.
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Manage-Devices-at-Branch/td-p/351983
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
The existing channel and power assignment functions in ARM support channel scanning, channel assignment and power adjustments, locally. Decisions are made locally at the AP without looking at the entire network. Thanks to the dynamic machine learning techniques, AirMatch centralises this function in the Mobility Master while dynamically learning the network and adapting the RF planning for the entire network. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-What-does-AirMatch-do/td-p/314413
These slides were used during our Airheads Meetup Event at Jaarbeurs Utrecht on October 27th 2017.
If you have ideas, new speaker topics and recommendations for the events, please help us to improve for next year’s event by commenting on the community page: http://community.arubanetworks.com/t5/Wireless-Access/Airheads-Technical-Event-The-Netherlands-October-27th-2017/m-p/313566#M75870
These slides were used during our Airheads Meetup Event at Jaarbeurs Utrecht on October 27th 2017.
If you have ideas, new speaker topics and recommendations for the events, please help us to improve for next year’s event by commenting on the community page: http://community.arubanetworks.com/t5/Wireless-Access/Airheads-Technical-Event-The-Netherlands-October-27th-2017/m-p/313566#M75870
These slides were used during our Airheads Meetup Event at Jaarbeurs Utrecht on October 27th 2017.
If you have ideas, new speaker topics and recommendations for the events, please help us to improve for next year’s event by commenting on the community page: http://community.arubanetworks.com/t5/Wireless-Access/Airheads-Technical-Event-The-Netherlands-October-27th-2017/m-p/313566#M75870
These slides were used during our Airheads Meetup Event at Jaarbeurs Utrecht on October 27th 2017.
If you have ideas, new speaker topics and recommendations for the events, please help us to improve for next year’s event by commenting on the community page: http://community.arubanetworks.com/t5/Wireless-Access/Airheads-Technical-Event-The-Netherlands-October-27th-2017/m-p/313566#M75870
In this presentation, we will run through different API types and cases: configuration APIs (REST API), context APIs (NBAPIs), SDN APIs and explain how to make API calls via CLI. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Configuring-different-APIs-in/td-p/312011
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will be debugging Aruba RAP commands, run through troubleshooting and logs and tackle RAP clusters.
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Aruba-Remote-Access-Point-RAP/td-p/310448
In this presentation, we will cover basic requirements and supported topologies for Multizone AP, how to bring up APs in multi version and how the AP's image upgrade differs in 8.x
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Multi-zone-AP-and-Centralized/td-p/308499
This webinar will cover how to bring up Aruba Mobility Master, Managed Device & Access Point and also go through some basic troubleshooting commands.Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Bringing-up-Aruba-Mobility/td-p/307599
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will run through the 8.x Architecture configuration model and share some UI navigation features such as managed controllers and spectrum monitoring, geolocation and maps.
Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-Recording-Slides-Aruba-8-x-Architecture/td-p/302349
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
More from Aruba, a Hewlett Packard Enterprise company (20)
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
In the Adani-Hindenburg case, what is SEBI investigating.pptxAdani case
Adani SEBI investigation revealed that the latter had sought information from five foreign jurisdictions concerning the holdings of the firm’s foreign portfolio investors (FPIs) in relation to the alleged violations of the MPS Regulations. Nevertheless, the economic interest of the twelve FPIs based in tax haven jurisdictions still needs to be determined. The Adani Group firms classed these FPIs as public shareholders. According to Hindenburg, FPIs were used to get around regulatory standards.
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
3. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Table of Contents | 3
Table of Contents
Chapter 1: Introduction 4
Reference Material 5
Chapter 2:
Deploying DHCP Fingerprinting
6
Prerequisites 6
Product Availability 7
What is a DHCP Fingerprint? 7
Identifying a DHCP Fingerprint 9
User Role Creation 11
User Role Derivation 15
Chapter 3:
User Role Life Cycle
17
Connecting to the Wireless Network 17
802.1X Authentication 18
DHCP Exchange 19
Validating DHCP-Derived User Roles 19
Conclusion 20
Appendix A:
Validated DHCP Fingerprint
21
Appendix B:
Contacting Aruba Networks
22
Contacting Aruba Networks 22
4. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Introduction | 4
Chapter 1: Introduction
The explosive growth of mobile devices has challenged the network IT staff because mobile devices
lack the option to connect using Ethernet, which is the dominant wired access technology. Leading
industry analyst forecasts predict that by 2015 only 15% of the devices will have built-in Ethernet
capability, as shown in Growth of mobile devices . As more of these devices connect using the
enterprise wireless LAN, network administrators have noted that an employee typically has gone from
using a single device to using three or more devices.
As network engineers get ready to support large numbers of smartphones and tablets in addition to
laptops and desktops, they are realizing the importance of reliably identifying mobile devices. Gaining
visibility into mobile device types is essential for network engineers to build granular access policies to
maintain security and quality of service (QoS) for critical enterprise applications. This application note
describes one such tool, ArubaOS DHCP Fingerprinting, which empowers the network engineers to
reliably identify devices and to build and enforce device-specific policies.
Figure 1 Growth of mobile devices
5. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Introduction | 5
Table 1 lists the current software versions for this guide.
Table 1 Aruba Software Versions
Product Version
ArubaOS™ (mobility controllers) 6.1
ArubaOS (mobility access switch) 7.0
Aruba Instant™ 1.1
MeshOS 4.2
AirWave® 7.3
AmigopodOS 3.3
Reference Material
This guide assumes a working knowledge of Aruba products. This guide is based on the network
detailed in the Aruba Campus Wireless Networks VRD and the Base Designs Lab Setup for
Validated Reference Design. These guides are available for free at
http://www.arubanetworks.com/vrd.
The complete suite of Aruba technical documentation is available for download from the Aruba
support site. These documents present complete, detailed feature and functionality explanations
outside the scope of the VRD series. The Aruba support site is located at:
https://support.arubanetworks.com/. This site requires a user login and is for current Aruba
customers with support contracts.
6. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 6
Chapter 2: Deploying DHCP Fingerprinting
DHCP fingerprinting is used in conjunction with user roles on the Aruba Mobility Controller. When a
user authenticates, their device type is taken into account. Based on that device type, a new role can
be assigned to the device, such as restricting access to certain protocols or completely blocking
access. Because the system relies on user-defined roles, each organization can develop a system that
meets their unique requirements.
Prerequisites
This section describes the prerequisites and dependencies for the ArubaOS DHCP fingerprinting
feature.
1. The ArubaOS DHCP fingerprinting feature is available on the mobility controller and mobility
access switch platforms running ArubaOS version 6.0.1 or later.
2. The PEFNG license must be present on the platform to assign user roles using the ArubaOS
DHCP fingerprinting feature.
3. Clients must be set up to request IP addresses automatically using DHCP.
4. The controller must be in the data path of DHCP exchange, but it does not have to be the
DHCP server.
5. There are additional requirements based on the forwarding mode of the AP. Table 2 lists the
forwarding mode and platform dependencies.
Table 2 DHCP Fingerprinting Availability by Forwarding Mode and Platform
Platform Forwarding Mode DHCP Fingerprinting Available
Campus and remote AP Tunnel mode Yes
Campus and remote AP Bridge mode No
Campus and remote AP Decrypt-tunnel mode Yes
Remote AP Split-tunnel mode Yes. Limited to VLANs that are tunneled to the controller.
Mobility access switch Tunneled node Yes
7. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 7
Product Availability
Table 3 describes the DHCP fingerprint availability by platform.
Table 3 Product Availability
Platforms DHCP Fingerprinting Available
Mobility Controller – 600, 3000, and M3 Series platforms Yes
All Mobility Access Switch platforms Yes. Limited to VLANs that are tunneled to the controller
All Instant AP platforms No
What is a DHCP Fingerprint?
DHCP is a client/server protocol. As shown in Figure 2, the DHCP client exchanges a series of packets
with the DHCP server to obtain a unique IP address and other important networking information, such
as the default gateway and DNS server.
Figure 2 DHCP protocol exchange
However, the DHCP protocol is not limited to obtaining basic IP networking information. It includes the
flexibility to exchange vendor-specific information about the hardware or operating system of the
device. This exchange is done by using DHCP options as defined by RFC 2132 (http://www.ietf.org/rfc/
rfc2132.txt). Use of DHCP options is vendor-, device-, and OS-dependent, which creates significant
differences in the DHCP packets generated by various devices and thus constitutes a DHCP
8. Arub.OS DHCP Fingerprin'"g Applia tion Note
ArubaNetworl<s,Inc. Deplo)ingDHCPFingerprinting 1 8
........ ........
·- t·-·l••l·-·1---13 I
........
"fingerprint" Figure 3 is an example of the options included in aDHCP DISCOVER message by an
Apple iPad device.
oo Ineernee Proeocol , src: 0.0.0.0(0.0.0.0), Dse:
255.255.255.255(255.255.255.255)
oo user Daeagram Proeocol , src Pore: booepc(68 , Dse Pore: booeps(67)
B Booeserap Proeocol
Message eype: Booe Requese
(1) Hardware eype: Eehernee
Hardware address lengeh: 6
Hops: 0
Transaceion ID: Oxd94e2ba0
seconds elapsed: 1
oo Booep flags: OxOOOO(unicase)
cl iene IP address: 0.0.0.0(0.0.0.0)
Your(cl iene) IP address:
0.0.0.0(0.0.0.0) Nexe server IP
address: 0.0.0.0(0.0.0.0) Relay agene
IP address: 0.0.0.0(0.0.0.0)
cl iene MAC address: Apple_1b:40:31(a4:d1:d2:1b:40:31)
cl iene hardware address padding: 00000000000000000000
server hose name noe gi ven
Booe fi le name noe gi ven
Magic cookie: DHCP
oo Opeion: (e=53,1=1)DHCP Message Type = DHCP Discover
B Opeion: (e=55,1=6)Parameeer Requese Lise
Opeion: (55)Parameeer Requese Lise
Lengeh: 6
value: 0103060f77fc
1 subnec Mask
3 = Roueer
6 = Domain Name server
15 = Domain Name
119 = Domain search [TODO:RFC3397]
252 = Pri vaee/Proxy aueodiscovery
oo Opeion: (e=57,1=2)Maxi mum DHCP Message size = 1500
oo Opeion: (e=61,1=7)cl iene ideneifier
oo Opeion: (e=51,1=4) IP Address Lease Ti me = 90
days oo opeion: (e=12,1=5)Hose Name = "i pad2"
End Opeion
Padding
uucu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu uu ........ ........
OOdO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
OOeO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
OOfO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0120
0130
00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 ........ c.sc5..tlj
39 02 05 de 3d 07 01 a4 0 0 - . 0 0 0
0140 d2 1 40 31 33 04 00 76 a7 00 Oc 05 69 70 61 64 ....i pad
0150 32 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0
0160 00 00 00 00 00 00 00 00 00 00 00 00
Figure3 Optionsin a DHCP DISCOVER message
9. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 9
arun_0485
The ArubaOS DHCP fingerprinting feature instructs the stateful firewall to inspect the DHCP packet
exchange and identify the device or OS type. Firewall rules can then be used to derive roles for the
specific device or OS type.
Identifying a DHCP Fingerprint
DHCP
DNS
Mobility
controller
Mail
Directory
Air monitor
Client Client
Figure 4 Network diagram with an ArubaOS controller in the DHCP data path
ArubaOS DHCP fingerprinting relies on the stateful inspection of DHCP packet exchange, so it is
required that the Aruba Mobility Controller is in the data path of the DHCP exchange. However, the
mobility controller is not required to be the DHCP server. ArubaOS stateful firewall logs the DHCP
options in the DHCP packets along with the MAC address of the client.
To begin the process of examining a DHCP fingerprint, some debugging commands need to be set to
make the packets visible. This process can be done either from the web interface or the CLI. We are
looking for a value that is unique to a class of device. In cases where more than one DHCP fingerprint
is found, any can be used. Typical values of DHCP options are hex: 0c, 37, 3c, or 51. These values
correspond to DHCP option numbers: 12, 55, 60, or 81. The goal is to find a value that is unique to that
device.
If multiple clients are connecting at the same time, be sure to select the DHCP signature that matches
the test device MAC address. Log messages can also be restricted to show output that matches the
specific MAC address of the test device. It is a best practice to validate the DHCP signatures using
several devices of same type. For a list of validated DHCP signatures developed by the Aruba QA
team, see Appendix A: Validated DHCP Fingerprint on page 21.
10. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 10
Using the WebUI
1. Set the logging level for dhcp sub-category to level debugging. Navigate to
Configuration Management Logging Levels.
2. Navigate to Monitoring Debug Process Logs.
3. From the right-side frame, select the Search function and select Filter Criteria: Include and
String: Options. Click Display. The logs automatically refresh.
Figure 5 Filter options
4. Ensure that the wireless client is set up for DHCP and connect to the wireless network.
5. Watch the filtered logs section for matching log messages. When the client sends out the DHCP
DISCOVER or REQUEST packet, a log message that contains the DHCP option is generated.
Figure 6 shows a log message from an Apple iPad device with MAC address a4:d1:d2:1b:40:31.
Figure 6 Using WebUI log filtering to identify a DHCP fingerprint
The numerals displayed in the log message correspond to DHCP option 55 (37 in hex notation).
In hexadecimal notation, option code 37 is followed by its operand values. The combined string
forms the DHCP fingerprint 370103060F77FC.
Using the CLI
1. Ensure that the wireless client is set up for DHCP and connect to the wireless network. Note the
wireless client MAC address. From the CLI, enter the “config terminal” context and enable
logging level debug for DHCP.
(config)# logging level debugging network
2. Issue the CLI command to show log entries that match the MAC address of the client device
being fingerprinted.
(config)#show log network all | include Options
11. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 11
3. Watch the filtered log messages for DHCP options. The output in Figure 7 is for an Apple iPad
device with MAC address a4:d1:d2:1b:40:31.
(LC1-Sunnyvale-6000) (config) #show log all | include Options
Sep 7 11:38:08 dhcpdwrap[1829]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan900: REQUEST
a4:d1:d2:1b:40:31 reqIP=192.168.200.248 Options 37:0103060f77fc 39:05dc 3d:01a4d1d21b4031
36:c0a8c814 0c:6970616432
Figure 7 Using CLI log filtering to identify a DHCP fingerprint
From the log message output, we find DHCP options 55, 12, 50, and 51 (hex 37, 0C, 32, and 33
respectively). Based on Aruba internal testing, we have found that reliable DHCP signatures
include DHCP options 12, 55, 60, and 81. We can use any of these options to build a DHCP
signature. For example, if we select the option 55 (hex 37), to create a DHCP fingerprint, drop
the colon (”:”) and include all the hex numerals before and after the colon.
The DHCP fingerprint for device with MAC a4:d1:d2:1b:40:31 is 370103060F77FC.
User Role Creation
In an Aruba user-centric network, every device is associated with a user role based on login
credentials, among other things. This same concept is extended to derive roles based on device type.
For detailed configuration steps for roles and policies, refer to ArubaOS 6.1 User Guide, Chapter 12.
In our example, an enterprise has a mobile device access policy for two popular mobile device
platforms, Apple iOS and Android, as shown in Table 4. Each class of device has a desired policy as
determined by the organization. These policies are implemented by defining rules and applying them
to the appropriate device-specific user role.
Table 4 Sample Mobile Device Access Policy for Android and iOS Devices
Mobile Device Platform Enterprise Access Policy
Apple iOS Allow access to the corporate internal network via https only.
Allow full access to the Internet.
Android Deny all access to the corporate internal network.
Allow full access to the Internet.
When devices connect to the WLAN network, they require a minimum set of services such as access
to DHCP and DNS services. These services are defined in the Common-Policy and they are common
to Apple iOS and Android device roles. Android devices are blocked from accessing the corporate
internal network, while Apple iOS devices are allowed access to the internal network only through
https. This permission is implemented in the block-internal-access and allow-corporate-https policies
respectively. Finally, full access to the Internet is achieved by adding the allow-all policy as the last
policy in the role.
12. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 12
Configuration for Common Policies Shared by Android and iOS Devices
ip access-list session common
user any udp 68 deny
any any svc-dhcp permit
any any svc-icmp permit
user alias dns-servers svc-dns permit
Figure 8 Common policies shared by Android devices
Next we will configure the access to internal resources, which will be used for the allow policy for iOS
and for the deny policy for Android. For this setup, we will create a network destination alias.
Netdestinations allow you to specify blocks of addresses and later make changes to those blocks
without rewriting firewall policy.
13. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 13
Internal Corporate Network Destinations
netdestination Internal-Network
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
network 192.168.0.0 255.255.0.0
Figure 9 Internal corporate network destinations
Next we will create two policies, one that allows corporate resources to be accessed via HTTPS, and
one that denies all access to those same resources. First we will configure the iOS policy, then the
Android policy.
Configuration for the iOS allow-corporate-https Policy
ip access-list session allow-corporate-https
user alias Internal-Network svc-https permit
user alias Internal-Network any deny
Figure 10 Configuration for the iOS allow-corporate-https policy
14. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 14
Configuration for iOS Device Role
user-role iOS-Device-Role
access-list session common
access-list session allow-corporate-https
access-list session allowall
Figure 11 Policies for iOS device role
Policies for Android Devices
user-role Android-Device-Role
access-list session common
access-list session block-internal-access
access-list session allowall
Figure 12 Policies for Android devices
15. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 15
User Role Derivation
After a DHCP fingerprint has been identified and the device-specific roles have been created, we can
now configure the policy for the devices. To get the correct policy assigned, we use “user rules” to
change the devices role. Roles that are derived using DHCP fingerprinting take precedence over those
derived using other methods, such as server-derived roles or roles derived using an Aruba vendor-
specific attribute (VSA). This precedence means that roles derived by the DHCP fingerprint feature
prevail even if the RADIUS server is set up to return a role attribute that is different. This functionality
allows users to log into a device such as a laptop and receive a normal role via RADIUS, and then use
the same credentials on an iPad and receive a different device role.
Roles are derived based on information learned from DHCP exchange, so devices receive this role
after successful 802.11 association and Layer 2 authentication. For this reason, a role derived using
DHCP fingerprinting is referred as the post-authentication role. It is important to note that while several
ways are available for deriving a role in ArubaOS, DHCP fingerprinting is different from all of them.
DHCP fingerprinting operates on attributes that become available after a successful authentication,
which extends the role-derivation capability in a powerful way.
N O T E
DHCP fingerprinting is classified as one of the methods under the user-derived
role framework. However, it differs from other methods in an important respect.
DHCP fingerprinting has higher precedence than all other role-derivation
methods.
To derive device-specific roles from the WebUI and the CLI, follow these steps.
Using the WebUI
1. Navigate to Configuration Security Authentication.
2. Click User Rules. Click Add to add a user-derived rule.
3. Choose a name for the user-derived rule. See example byod-rules.
4. Click Add to add a new rule set. The screen in Figure 13 is displayed.
Figure 13 Adding rules to derive roles using DHCP Option from WebUI
5. For Set Type, choose Role to derive roles.
6. For Rule Type, choose DHCP-Option.
16. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Deploying DHCP Fingerprinting | 16
7. For Condition, choose equals. This rule is set up especially to match DHCP option and its
operand values in hex, so equals and starts-with are the only allowed conditions.
8. In the Value field, copy and paste the DHCP fingerprint. Ensure that no colon characters or extra
whitespace are included and that only the hex numerals are included.
9. For Roles, choose the device-specific role that was created earlier.
Using the CLI
From the CLI, enter the “config terminal” context and issue the following commands:
aaa derivation-rules user byod-rules
set role condition dhcp-option equals "3C64686370636420342E302E3135" set-value Android-Device-
Role description "Android devices"
set role condition dhcp-option equals "370103060F77FC" set-value iOS-Device-Role description
"iOS devices"
17. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. User Role Life Cycle | 17
Chapter 3: User Role Life Cycle
ArubaOS DHCP fingerprinting provides an easy method to distinguish a user connected on corporate-
issued laptop vs. another mobile device. When the corporate user connects to the Aruba system using
the corporate laptop and the personal device, they receive different user roles. In this section, we
follow the clients through various connectivity states, highlight the relevant configuration profiles, and
describe how they influence the selection of user roles.
Connecting to the Wireless Network
When users scan the available wireless networks, they see the SSID that is defined in the SSID profile
“corp-employee”. This SSID requires 802.1X authentication. This profile is configured in the Wireless
LAN Virtual AP context.
Figure 14 SSID profile for the Corp-Employee wireless network
18. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. User Role Life Cycle | 18
In a typical enterprise, PEAP with MSCHAPv2 is a popular choice for 802.1X authentication. Users
must login with their corporate credentials and passwords. This process is routine on the laptops. The
process is similar on mobile devices. Users are now authenticated to the network based on their
unique user credentials. The authentication process uses the AAA profile defined in the virtual AP
profile as seen in Figure 15.
Figure 15 AAA profile for corp-employee virtual AP profile
802.1X Authentication
The mobile device and laptop complete the 802.1X authentication and four-way handshake and derive
the unique Pairwise Master Key (PMK) that is used to secure all further data transactions. Based on
the AAA profile “corp-employee”, we see that both clients initially get the “logon” role as defined by the
initial role setting. However this role is transient and clients soon migrate to new roles based on the
user derivation rules, which are linked to the same AAA profile as shown in Figure 16.
Figure 16 Initial role and user derivation rules in the AAA corp-employee profile
19. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. User Role Life Cycle | 19
DHCP Exchange
At this point, the previously constructed user rule “byod-rules” comes into play. Specifically, when the
clients are evaluated against this rule set, the Apple iPad matches the second rule and the corporate
Windows laptop does not yield a match. As per our rule definition, the Apple iPad progresses to
receive the “iOS-Device-Role”, and the corporate Windows laptop receives the “802.1X Authentication
Default” role “employee” as defined by the AAA profile “corp-employee” shown in Figure 16 and Figure
17.
Figure 17 Rule set to derive device-specific roles
Validating DHCP-Derived User Roles
To view the client statistics, navigate to the controller Monitoring Clients as seen in Figure 18.
Verify that devices have been correctly detected and assigned appropriate roles. It is also interesting
to note the Device Type column. Here Windows corporate laptops are identified by operating system
type even though no DHCP fingerprint has been defined for the Windows corporate laptops.
This operating system identification is a result of a separate but related feature mechanism to detect
device types. It operates by parsing the user-agent string (also known as the browser ID) in HTTP
packets. This parsing is enabled by the Device Type Classification checkbox in the AAA profile. This
feature is enabled by default. The user-agent string can be changed easily by misbehaving
applications or intentional user action, which makes them less than reliable for user derivation roles.
Figure 18 Monitor clients and verify the user roles from the WebUI
20. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. User Role Life Cycle | 20
Conclusion
Enterprises and employees are rapidly adopting next-generation smartphones and tablet devices.
Wireless is the only way to connect these devices to the network and WLAN is the primary method of
connecting to an enterprise network. IT staff require tools that enable them to control the network
usage, applications, content, and bandwidth and gain greater visibility into the user and type of
devices. ArubaOS delivers a powerful new tool, DHCP fingerprinting, which enables IT staff to create
and enforce granular policies per device, per application, and per user. This added functionality is
made possible using the same Aruba WLAN infrastructure without adding additional appliances or re-
architecting the network.
21. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Validated DHCP Fingerprint | 21
Appendix A: Validated DHCP Fingerprint
These device fingerprints must be used with an exact-match rule in ArubaOS.
Device DHCP Option DHCP Fingerprint
Apple iOS Option 55 370103060F77FC
Android Option 60 3C64686370636420342E302E3135
Blackberry Option 60 3C426C61636B4265727279
Windows 7/ Vista Desktop Option 55 37010f03062c2e2f1f2179f92b
Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b
Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500
Windows 7 Phone Option 55 370103060f2c2e2f
Apple Mac OSX (10.6 and below)
Apple Mac OSX (10.7 and above)
Option 55 370103060f775ffc2c2e2f
370103060f775ffc2c2e
22. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Contacting Aruba Networks | 22
Appendix B: Contacting Aruba Networks
Contacting Aruba Networks
Web Site Support
Main Site http://www.arubanetworks.com
Support Site https://support.arubanetworks.com
Software Licensing Site https://licensing.arubanetworks.com/login.php
Wireless Security Incident
Response Team (WSIRT)
http://www.arubanetworks.com/support/wsirt.php
Support Emails
Americas and APAC support@arubanetworks.com
EMEA emea_support@arubanetworks.com
WSIRT Email
Please email details of any security
problem found in an Aruba product.
wsirt@arubanetworks.com
Validated Reference Design Contact and User Forum
Validated Reference Designs http://www.arubanetworks.com/vrd
VRD Contact Email referencedesign@arubanetworks.com
AirHeads Online User Forum http://airheads.arubanetworks.com
Telephone Support
Aruba Corporate +1 (408) 227-4500
FAX +1 (408) 227-4550
Support
United States +1-800-WI-FI-LAN (800-943-4526)
Universal Free Phone Service Numbers (UIFN):
Australia
Reach: 1300 4 ARUBA (27822)
United States 1 800 9434526
1 650 3856589
Canada 1 800 9434526
1 650 3856589
United Kingdom BT: 0 825 494 34526
MCL: 0 825 494 34526
23. ArubaOS DHCP Fingerprinting Application Note
Aruba Networks, Inc. Contacting Aruba Networks | 23
Telephone Support
Universal Free Phone Service Numbers (UIFN):
Japan
IDC: 10 810 494 34526 * Select fixed phones
IDC: 0061 010 812 494 34526 * Any fixed, mobile & payphone
KDD: 10 813 494 34526 * Select fixed phones
JT: 10 815 494 34526 * Select fixed phones
JT: 0041 010 816 494 34526 * Any fixed, mobile & payphone
Korea
DACOM: 2 819 494 34526
KT: 1 820 494 34526
ONSE: 8 821 494 34526
Singapore
Singapore Telecom: 1 822 494 34526
Taiwan
(U)
CHT-I: 0 824 494 34526
Belgium
Belgacom: 0 827 494 34526
Israel
Bezeq: 14 807 494 34526
Barack ITC: 13 808 494 34526
Ireland
EIRCOM: 0 806 494 34526
Hong
Kong
HKTI: 1 805 494 34526
Germany
Deutsche Telkom: 0 804 494 34526
France
France Telecom: 0 803 494 34526
China
(P)
China Telecom South: 0 801 494 34526
China Netcom Group: 0 802 494 34526
Saudi
Arabia
800 8445708
UAE
800 04416077
Egypt
2510-0200 8885177267 * within Cairo
02-2510-0200 8885177267 * outside Cairo
India
91 044 66768150