Device Fingerprinting functionality on Aruba CX switches has been available since version 10.08 and helps categorise connected devices by analysing the data sent by the devices, the information collected is based on certain type of traffics from the connected devices sending packets of DHCP, HTTP, CDP or LLDP protocols. However, this information was not available to be used by Aruba ClearPass to assist in profiling the device. Since Aruba CX software version 10.12 the device fingerprint information learnt by the switch can be sent as Vendor Specific Attributes (VSA) to ClearPass RADIUS server in RADIUS accounting packets.
This post covers the configuration of device fingerprinting, it is assuming the AAA, RADIUS and integration with ClearPass is already setup and working.
Configuration
Configure the Aruba CX switch running software version 10.12 or greater.
A device fingerprint profile is created and the required DHCP, LLDP, CDP, HTTP attributes to be learnt by the switch are explictly defined.
client device-fingerprint profile FINGERPRINT-PROFILE dhcp option-num 55 dhcp options-list cdp tlv-name capabilities cdp tlv-name device-id cdp tlv-num 4 lldp tlv-name system-name lldp tlv-num 5 lldp tlv-name port-description lldp tlv-name system-capabilities
To enable the device fingerprint profile this can be enabled globally or under specific interfaces using the command client device-fingerprint apply-profile FINGERPRINT-PROFILE
interface 1/1/1 client device-fingerprint apply-profile FINGERPRINT-PROFILE
To send the device fingerprint information to ClearPass configure the radius-attribute group (this refers to the AAA group used by 802.1X and MAB) and define the VSA to send the dfp-client-info.
aaa radius-attribute group CPPM-RADIUS vsa vendor aruba type avpair group dfp-client-info
Verification
You can confirm the device fingerprint profile is enabled using the command show client device-fingerprint active command. The output below confirms the fingerprint profile is configured globally.
DEVSWI# show client device-fingerprint active Port Profile Status DHCP HTTP LLDP CDP ------------------------------------------------------------------------------ System FINGERPRINT-PROFILE Profile configured Y N Y Y
The output below confirms the fingerprint profile is enabled on specific interfaces.
DEVSWI# show client device-fingerprint active Port Profile Status DHCP HTTP LLDP CDP ------------------------------------------------------------------------------ 1/1/1 FINGERPRINT-PROFILE Profile configured Y N Y Y 1/1/2 FINGERPRINT-PROFILE Profile configured Y N Y Y 1/1/3 FINGERPRINT-PROFILE Profile configured Y N Y Y 1/1/4 FINGERPRINT-PROFILE Profile configured Y N Y Y 1/1/5 FINGERPRINT-PROFILE Profile configured Y N Y Y
Run the command show client device-fingerprint to confirm the attributes learnt for each connected endpoint. From the output below we can confirm an Aruba IAP is connected to port 1/1/1, with attributes learnt from DHCP and LLDP.
DEVSWI# show client device-fingerprint Client MAC Address: 6c:f3:7f:c1:a0:3d Port : 1/1/1 VLAN : 10 Protocol: DHCP Host name(12) :IAP Parameter Requested List(55) :1,3,4,6,12,15,28,42,43,66,67,60 Vendor Class Identifier(60) :ArubaInstantAP DHCP Options-List : Discover(1) :53,61,12,60,55,82,255 Request(3) :53,61,12,60,50,54,55,82,255 Protocol: HTTP n/a Protocol: LLDP Port-Description(4) :bond0 System-Capabilities(7) :Bridge, WLAN System-Description(6) :ArubaOS (MODEL: 93), Version 6.3.1.8-4.0.0.8 (46401) Protocol: CDP --
Login to the ClearPass GUI and navigate to Configuration > Identity > Endpoints and search for the endpoint MAC address.
From the output below we can confirm the endpoint has been successfully profiled by ClearPass and correctly identified as an Aruba IAP.
Click the Device Fingerprints tab and note the fingerprint details and confirm the same attributes learnt by the switch have been sent to and received by ClearPass to assist in profiling the device.
To confirm ClearPass receives the device fingerprint information take a packet capture on ClearPass during the authentication process of the connected endpoint. From the output below you can confirm the switch sends the device fingerprint information in a RADIUS Accounting Request packet. The Vendor Specific (VSA) attributes contain the endpoint specific information sent by the switch.
Reference
Refer to the Aruba guides below for more information on configuring Device Fingerprint.