Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FranFisc1
New Contributor II

FortiNAC DHCP Fingerprinting: How to match on DHCP User Class ?

Hi,

we want to identify windows endpoints as corp. managed workstations with a somehow fair confidence,
but without rolling out certificates or Agents, nor involving WinRM or other dependencies to AD.

Of course we discussed and we are aware that those DHCP requests are cleartext and may be faked.

With another vendors' access control solution that can rely on DHCP fingerprinting as well,
I was able to match clients on the User-Class (DHCP Option 77).


If configured, this option is sent by the client with all DHCP requests.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dhcpe/a7be26f5-659d-4912-b715-0481b...


By Group Policies, all AD managed Workstations could be easily configured to send a custom defined string here.

 

Unfortunately, in FortiNAC 9.4 GUI I only found a configurable match on "vendor class" but not on "user-class".

How can I match for a specific User-Class String in FortiNAC ?
If not possible, could that be added ?

Thanks,
Frank

If configured correctly, it works. The reverse conclusion does not apply necessarily.
If configured correctly, it works. The reverse conclusion does not apply necessarily.
5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello FranFisc1,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello FranFisc1,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi FranFisc1,

 

I'm afraid that is not yet in FortiNAC. How does your fignerprint actually look like?

The custom fingerprint option is the only thing that I could imagine fitting here.

 

Best regards,

 

Markus

FranFisc1
New Contributor II

Hello Markus,
sorry for the delay...
yes.. looks like the DHCP Sensor does not store all fields of the DHCP packtes in the Database


root@xxxnaca:~
> dumpdeviceidentities -mac 60:18:95:27:4C:DA
DHCP Fingerprints:fingerprints loaded = 5719, time = 66
DHCP Fingerprints:fingerprints loaded = 5735, time = 2
total entries = 4 total time = 138 rate = 1811
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252,159 53,61,50,12,81,60,55,82
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82
60:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82

root@xxxnaca:~
> dumpdeviceidentities -mac 00:BE:43:15:62:43
DHCP Fingerprints:fingerprints loaded = 5719, time = 84
DHCP Fingerprints:fingerprints loaded = 5735, time = 1
total entries = 3 total time = 136 rate = 1838
00:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 XYZNT408377 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,82
00:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> XYZNT408377 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82

 As the DHCP User Class (RFC3004) field seems not even be stored, now way to match it at the moment.
Could you consider this as an enhancement request ?

Regarding your suggestions using the custom fingerprints:
(where I'd like to see "User Class" added )


I already testing those,
but I do not find any documentation about how the custom fingerprints are matched in detail.


Are the specified lines "AND" ed together to produce a match,
means: ALL of the lines must be present on an endpoint to result in a match ?

Or are they "ORed" (like in i.E. OUIs), so ONE of them matching is sufficient ?

Can i match on the field values, i.e. hostname, using RegEx or wildcards ?
If yes, what wildcard/regex format ?

Thanks & BR

If configured correctly, it works. The reverse conclusion does not apply necessarily.
If configured correctly, it works. The reverse conclusion does not apply necessarily.
ndumaj
Staff
Staff

Hi Frank,

Unfortunately, User-Class (DHCP Option 77) method is not supported on DPR at the moment.
Is not possible to add it, no guide or workaround available.
Br

- Happy to help, hit like and accept the solution -