Visitor III

Question

FortiNAC DHCP Fingerprinting: How to match on DHCP User Class ?

Forum|Forum|3 years ago
March 21, 2023
5 replies
2850 views

Hi,

we want to identify windows endpoints as corp. managed workstations with a somehow fair confidence,
but without rolling out certificates or Agents, nor involving WinRM or other dependencies to AD.

Of course we discussed and we are aware that those DHCP requests are cleartext and may be faked.

With another vendors' access control solution that can rely on DHCP fingerprinting as well,
I was able to match clients on the User-Class (DHCP Option 77).

If configured, this option is sent by the client with all DHCP requests.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/a7be26f5-659d-4912-b715-0481b9d84e95

By Group Policies, all AD managed Workstations could be easily configured to send a custom defined string here.

Unfortunately, in FortiNAC 9.4 GUI I only found a configurable match on "vendor class" but not on "user-class".

How can I match for a specific User-Class String in FortiNAC ?
If not possible, could that be added ?

Thanks,
Frank

FortiNAC

Anthony_E

Staff

Hello FranFisc1,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello FranFisc1,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Best Regards

Markus_M

Staff & Editor

Hi FranFisc1,

I'm afraid that is not yet in FortiNAC. How does your fignerprint actually look like?

The custom fingerprint option is the only thing that I could imagine fitting here.

Best regards,

Markus

FranFisc1Author

Visitor III

Hello Markus,
sorry for the delay...
yes.. looks like the DHCP Sensor does not store all fields of the DHCP packtes in the Database


root@xxxnaca:~
> dumpdeviceidentities -mac 60:18:95:27:4C:DA
DHCP Fingerprints:fingerprints loaded = 5719, time = 66
DHCP Fingerprints:fingerprints loaded = 5735, time = 2
total entries = 4 total time = 138 rate = 1811
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252,159 53,61,50,12,81,60,55,82
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82

root@xxxnaca:~
> dumpdeviceidentities -mac 00:BE:43:15:62:43
DHCP Fingerprints:fingerprints loaded = 5719, time = 84
DHCP Fingerprints:fingerprints loaded = 5735, time = 1
total entries = 3 total time = 136 rate = 1838
00:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 XYZNT408377 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82
00:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> XYZNT408377 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82

As the DHCP User Class (RFC3004) field seems not even be stored, now way to match it at the moment.
Could you consider this as an enhancement request ?

Regarding your suggestions using the custom fingerprints:
(where I'd like to see "User Class" added )

I already testing those,
but I do not find any documentation about how the custom fingerprints are matched in detail.

Are the specified lines "AND" ed together to produce a match,
means: ALL of the lines must be present on an endpoint to result in a match ?

Or are they "ORed" (like in i.E. OUIs), so ONE of them matching is sufficient ?

Can i match on the field values, i.e. hostname, using RegEx or wildcards ?
If yes, what wildcard/regex format ?

Thanks & BR

ndumaj

Staff

Hi Frank,

Unfortunately, User-Class (DHCP Option 77) method is not supported on DPR at the moment.
Is not possible to add it, no guide or workaround available.
Br

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded