Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain.
Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class.
Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating from remote computing devices. When enabled, device fingerprinting helps to identify a wireless client‘s device type. There are two methods of fingerprinting devices: Active and Passive.
Active fingerprinting is based on the fact that traffic patterns vary with varying device types. It involves the sending of requests (HTTP, etc.) to devices (clients) and analyzing their response to determine the device type. For example, an invalid request is sent to a device, and its error response is analyzed to identify the device type. Since active device fingerprinting involves sending of packets, the probability of the network getting flooded is very high, especially when many devices are being fingerprinted simultaneously.
Passive fingerprinting involves monitoring of devices to check for known traffic patterns specific to devices based on the protocol, driver implementation etc. This method accurately classifies a client‘s TCP/IP configuration, OS fingerprints, wireless settings etc. No packets are sent to the device. Some of the commonly used protocols for passive device fingerprinting are, TCP, DHCP, HTTP etc. This feature implements DHCP device fingerprinting, which relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class.
The client-identity command enables device fingerprinting. It creates a new client identity and enters its configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This information is used to configure permissions and access rules for the identified class of devices in the network.
Note
The WiNG software provides a set of built-in device fingerprints that load by default and identify client device types. Use the service > show > client-identity-defaults command to view default client identity fingerprints.client-identity <CLIENT-IDENTITY-NAME>
client-identity <CLIENT-IDENTITY-NAME>
client-identity <CLIENT-IDENTITY-NAME> | Creates a new client identity policy and enters its configuration
mode
|
The following points should be considered when configuring the client identity (device fingerprinting) feature:
nx9500-6C8809(config)#client-identity test nx9500-6C8809(config-client-identity-test)#? Client Identity Mode commands: dhcp Add a DHCP option based match criteria dhcp-match-message-type Specify DHCP message type to match no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-client-identity-test)#
Note
Use the service > show > client-identity-defaults command to view default, built-in, system-provided client identity fingerprints:nx9500-6C8809#service show client-identity-defaults client-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1 client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37 --More-- nx9500-6C8809#
no | Removes an existing client identity definition |
client-identity-group | Configures a new client identity group |