Technical Tip: DHCP Fingerprint Profiling for Operating System OS Device Profiling Rule

If using the default Windows (DHCP) DPC rule that validates DHCP Fingerprinting Type = windows is used.

1. Make sure to configure Primary and Secondary FortiNAC eth0 IP as an ip-helper on the Layer 3 device.
   
   In the case of the Control and Application servers separately, the Application server management eth0 IP should be configured as an IP helper.
   The management interface only listens and does not respond to DHCP requests.
   
   
2. 'tcpdump -nnvvSXi eth0 port 67 or 68'must receive DHCP discover, request or inform packets.
   
   
3. The command below will show the device if it was fingerprinted by FortiNAC and the OS was detected with additional DHCP parameters.

dumpdeviceidentities -mac xx:xx:xx:xx:xx:xx <----- should be the host MAC address.

Output example:

xx:xx:xx:xx:xx:xx(HP COMPUTER INC.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 LAPTOP-LAB MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82.

Troubleshooting Commands:

Profiler evaluation details (prints to /bsc/logs/output.nessus):

nacdebug -name ActiveFingerprint true

DPC Server processes (prints to /bsc/logs/output.master):

nacdebug -name DpcRuleServer true

This should show the DHCP parameters FORTINAC receives from DHCP discover, request, or inform packets:

dumpdeviceidentities -mac XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX(HP COMPUTER INC.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 LAPTOP-LAB MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82

client -mac XX:XX:XX:XX:XX:XX

In another window SSH session run the below:

tf /bsc/logs/output.nessus | egrep -i “XX:XX:XX:XX:XX:XX|XX-XX-XX-XX-XX-XX|XXXXXXXXXXXX”

Disable Debugging:

nacdebug -name DpcRuleServer

nacdebug -name ActiveFingerprint

Related document:

Technical Note: DHCP Fingerprint Profiling Rule does not match upon initial connection