Document ID: 116235
Updated: Jul 05, 2013
Contributed by Harisha Gunna and Todd Pula, Cisco TAC Engineers.
This document describes the use of the DHCP Parameter Request List option 55 as an alternative method to profile devices that use the Identity Services Engine (ISE).
Cisco recommends that you have:
- Basic knowledge of the DHCP discovery process
- Experience with the use of ISE to configure custom profiling rules
The information in this document is based on these software and hardware versions:
- ISE Version 1.2
- Apple iOS
- Windows 8
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
In production ISE deployments, some of the more commonly deployed profiling probes include RADIUS, HTTP, and DHCP. With URL redirection in the center of the ISE workflow, the HTTP probe is widely used in order to capture important endpoint data from the User-Agent string. However, in some production use cases, URL redirection is not desired and Dot1x is preferered, which makes it more difficult to accurately profile an endpoint. For example, an employee PC that connects to a corporate Service Set Indentifier (SSID) gets full access while its personal iDevice (iPhone, iPad, iPod) gets Internet access only. In both scenarios, the users are profiled and dynamically mapped to a more specific identity group for authorization profile matching that does not rely on the user to open a web browser. Another commonly used alternative is hostname matching. This solution is imperfect because users might change the endpoint hostname to a non-standard value.
In corner cases such as these, the DHCP probe and DHCP Parameter Request List option 55 can be used as an alternative method to profile these devices. The Parameter Request List field in the DHCP packet can be used in order to fingerprint an endpoint operating system much like an Intrusion Prevention System (IPS) uses a signature in order to match a packet. When the endpoint operating system sends a DHCP discover or request packet on the wire, the manufacturer includes a numeric list of DHCP options that it intends to receive from the DHCP server (default router, Domain Name Server (DNS), TFTP server, etc.). The order by which the DHCP client requests these options from the server is fairly unique and can be used in order to fingerprint a particular source operating system. The use of the Parameter Request List option is not as exact as the HTTP User-Agent string, however, it is far more controlled than the use of hostnames and other statically-defined data.
Before you configure the ISE profiling rules, use Wireshark captures from an endpoint/Switched Port Analyzer (SPAN) or Transmission Control Protocol (TCP) Dump captures on ISE in order to evaluate the Parameter Request List options in the DHCP packet (if present). This sample capture displays the DHCP Parameter Request List options for a Windows 8 Enterprise PC.
The Parameter Request List string that results is written in the following comma-separated format: 1,15,3,6,44,46,47,31,33,121,249,252,43. Use this format when configuring custom profiling conditions in ISE.
The configuration section demonstrates the use of custom profiling conditions to match iPhones, iPads, and iPods into a single identity group called Apple-iDevice. Unlike the Parameter Request List string that is unique to Windows 8, Apple uses a common set of strings across multiple endpoint types. Because of this, it is not possible to differentiate the Apple iDevice type with the use of the Parameter Request List option alone. This is an acceptable configuration in production ISE deployments because the same authorization policy is typically applied to iPhones, iPads, and iPods.
- Log on to the ISE admin GUI and navigate to Policy > Policy Elements > Conditions > Profiling. Click Add in order to add a new custom profiling condition. In this example, four unique rules are defined for the most commonly used Apple iDevice Parameter Request List fingerprints. Refer to Fingerbank.org for a complete list of Parameter Request List values.
- With the custom conditions defined, navigate to Policy > Profiling > Profiling Polcies in order to modify a current profiling policy or in order to configure a new one. In this example, the default Apple-iDevice policy is edited in order to include the new Parameter Request List conditions.
- Add a new compound condition to the Apple-iDevice profiler policy rule and ensure that the OR operand is selected so that any of the configured Parameter Request List strings can result in a match. Modify the Certainty Factor as required in order to achieve the desired profiling result.
Use this section in order to confirm that your configuration works properly.
- Navigate to Administration > Identity Management > Identities > Endpoints and edit the Endpoint Profile for the device/MAC address.
- Confirm that the EndPointPolicy is Apple-iDevice, that the EndPointSource is DHCP Probe, and that the dhcp-parameter-request-list values match the condition values previously configured.
This section provides information you can use in order to troubleshoot your configuration.
- Verify that the DHCP packets reached the ISE policy nodes that perform the profiling function (with helper-address or SPAN).
- Use the Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump tool in order to natively run TCP Dump captures from the ISE admin GUI.
- Refer to the Fingerbank.org DHCP fingerprint database for a current list of Parameter Request List options.
- Ensure that the correct Parameter Request List values are configured in the ISE profiling conditions. Some of the more commonly used strings include:
Device Type Parameter Request List Value Windows XP1,15,3,6,44,46,47,31,33,249,431,15,3,6,44,46,47,31,33,249,43,2521,15,3,6,44,46,47,31,33,249,43,252,1215,3,6,44,46,47,31,33,249,4315,3,6,44,46,47,31,33,249,43,25215,3,6,44,46,47,31,33,249,43,252,1228,2,3,15,6,12,44,47 Windows Vista/7 or Server 20081,15,3,6,44,46,47,31,33,121,249,431,15,3,6,44,46,47,31,33,121,249,43,0,32,176,671,15,3,6,44,46,47,31,33,121,249,43,0,176,671,15,3,6,44,46,47,31,33,121,249,43,2521,15,3,6,44,46,47,31,33,121,249,43,195 Windows 8 1,15,3,6,44,46,47,31,33,121,249,252,43 Mac OS X 1,3,6,15,112,113,78,79,95
iPhone, iPad, iPod1,3,6,15,119,78,79,95,2521,3,6,15,119,2521,3,6,15,119,252,46,208,921,3,6,15,119,252,67,52,13
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.