Configuring Client Identity

About this task

With an increase in Bring Your Own Device (BYOD) corporate networks, there's a parallel increase in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the organization's security mechanisms do not extend to these personal devices deployed in the corporate wireless network. Organizations can protect their networks by limiting how and what these BYODs can access on and through the corporate network.

Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain.

Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class.

Note

Note

Ensure DHCP is enabled on the WLAN on which device fingerprinting is to be enabled.

To define a device fingerprinting configuration on controllers, service platforms and access points:

Procedure

  1. Select Configuration → Security.
  2. Select Device Fingerprinting.
    The Client Identity screen displays, populated by default with existing client identity configurations.
    Click to expand in new window
    Device Fingerprinting - Client Identity Screen
  3. Select Add to create a new client identity policy, Edit to modify a selected policy, or Delete to remove obsolete policies from the list of those available.
    Use Rename to change the name of an existing client identity policy, or Copy a policy to a different location.

    Client identity policies use signatures to identify and group clients. Signatures are sets of attributes unique to the device model and manufacturer. Once identified, signatures classify and assign network access permissions collectively without having to administer multiple devices individually.

  4. If you are adding a new client identity configuration, define a 32-character maximum name and select the OK button at the bottom of the screen to enable the remainder of the screen‘s editable parameters.
  5. Select the + Add Row button to add a new signature in the client identity.
    Click to expand in new window
    Device Fingerprinting - Add/Edit - Client Signature Screen
  6. Optionally, select Pre-defined and choose from a list of pre-defined client identities.
    Once selected, the DHCP Match Criteria field is populated with fingerprints for the selected client identity.
  7. To create a custom identity configuration, select Custom and provide a name in the adjacent field.
    Select the OK button at the bottom of the screen.
  8. Provide the following information for each device signature configuration:
    Index Use the spinner control to assign an index (numeric identifier) for this signature. A maximum of 16 signatures can be created.
    Message Type Use the drop-down menu to designate the DHCP message type matched for signatures.
    • Request – Looks for a signature in DHCP request messages. This is the default value.
    • Discover – Looks for a signature in DHCP discover messages.
    Match Option Options are passed in DHCP discover and request messages as Option Code, Option Type, and Option Value sets. When Option Codes is selected, the Option Code passed in the DHCP discover/request is extracted and a fingerprint is derived. The derived fingerprint is used to identify the device.
    • Option – Indicates a specific DHCP Option is used to identify a device. When selected, a text box is enabled to input the DHCP Option used for fingerprinting.
    • Option Codes – Indicates the Option Code passed in the DHCP request and discover message is used for matching.
    Match Type Use the drop-down menu to select how signatures are matched. Available options include:
    • Exact – The complete signature string matches the string specified in the Option Value field.
    • Starts-with – The signature is checked if it starts with the string specified in the Option Value field.
    • Contains – The signature is checked if it contains the string specified in the Option Value field.
    Value Format Use the drop-down menu to select the character format of the value being checked. The value can be either ASCII or Hexadecimal.
    Option Value Use this text box to set the 64-character maximum DHCP option value to match.
  9. Use the DHCP Match Message Type drop-down menu (from the Settings field at the bottom of the screen) to specify the DHCP message type configured option values are matched against.
    The following options are available:
    Discover
    Looks for a signature in DHCP discover messages.
    Request
    Looks for a signature in DHCP request messages. This is the default value.
    Any
    The fingerprint is checked with either the DHCP request or the DHCP discover message.
    All
    The fingerprint is checked with both the DHCP request and the DHCP discover message.
  10. Select OK to save the changes.
    Select Reset to revert to the last saved configuration.
9036512-01 Rev AB