we want to identify windows endpoints as corp. managed workstations with a somehow fair confidence,but without rolling out certificates or Agents, nor involving WinRM or other dependencies to AD.Of course we discussed and we are aware that those DHCP requests are cleartext and may be faked.
With another vendors' access control solution that can rely on DHCP fingerprinting as well,I was able to match clients on the User-Class (DHCP Option 77).
If configured, this option is sent by the client with all DHCP requests.
By Group Policies, all AD managed Workstations could be easily configured to send a custom defined string here.
Unfortunately, in FortiNAC 9.4 GUI I only found a configurable match on "vendor class" but not on "user-class".How can I match for a specific User-Class String in FortiNAC ?If not possible, could that be added ?Thanks,Frank
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
We are still looking for someone to help you.
We will come back to you ASAP.
I'm afraid that is not yet in FortiNAC. How does your fignerprint actually look like?
The custom fingerprint option is the only thing that I could imagine fitting here.
Hello Markus,sorry for the delay...yes.. looks like the DHCP Sensor does not store all fields of the DHCP packtes in the Database
root@xxxnaca:~> dumpdeviceidentities -mac 60:18:95:27:4C:DADHCP Fingerprints:fingerprints loaded = 5719, time = 66DHCP Fingerprints:fingerprints loaded = 5735, time = 2total entries = 4 total time = 138 rate = 181160:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252,159 53,61,50,12,81,60,55,8260:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 NT406965 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,8260:18:95:27:4C:DA(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> NT406965 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82root@xxxnaca:~> dumpdeviceidentities -mac 00:BE:43:15:62:43DHCP Fingerprints:fingerprints loaded = 5719, time = 84DHCP Fingerprints:fingerprints loaded = 5735, time = 1total entries = 3 total time = 136 rate = 183800:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Windows Windows 10 XYZNT408377 MSFT 5.0 1,3,6,15,31,33,43,44,46,47,119,121,249,252 53,61,50,12,81,60,55,8200:BE:43:15:62:43(Dell Inc.) DHCPv4 1(DHCPv4 REQUEST) Unknown <null> XYZNT408377 <null> 1,15,3,6,44,46,47,31,33,159 53,61,50,12,55,82
As the DHCP User Class (RFC3004) field seems not even be stored, now way to match it at the moment.Could you consider this as an enhancement request ?Regarding your suggestions using the custom fingerprints:(where I'd like to see "User Class" added )
I already testing those,but I do not find any documentation about how the custom fingerprints are matched in detail.
Are the specified lines "AND" ed together to produce a match,means: ALL of the lines must be present on an endpoint to result in a match ?Or are they "ORed" (like in i.E. OUIs), so ONE of them matching is sufficient ?
Can i match on the field values, i.e. hostname, using RegEx or wildcards ?If yes, what wildcard/regex format ?Thanks & BR
Hi Frank,Unfortunately, User-Class (DHCP Option 77) method is not supported on DPR at the moment.Is not possible to add it, no guide or workaround available.Br
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.