Terminal Identification
With the popularization and application of the Internet of Things (IoT), more and more terminals of diversified types are connected to campus networks. Especially on large- and medium-sized campus networks, dumb terminals such as IP phones, printers, and IP cameras are connected, in addition to PCs and mobile phones. Thus, it becomes difficult to manage such a large number of terminals of different types that access a campus network. With a traditional network management system (NMS), the administrator can only view the IP addresses and MAC addresses of access terminals, but cannot perform refined terminal management. To plan and deploy different network services and policies for different types of terminals, the administrator needs to manually configure different services and policies for each type of terminal. This results in complex service deployment and operations.
The terminal identification function is introduced to solve the preceding problems. Through diversified terminal identification methods, the administrator can view summary information about terminals on the entire campus network on iMaster NCE-Campus, such as the terminal type and operating system. Based on the summary information, iMaster NCE-Campus can perform refined terminal management from multiple dimensions. For example, iMaster NCE-Campus can collect and display traffic statistics based on terminal types and deliver specified authorization policies to terminals For dumb terminals using MAC address authentication, iMaster NCE-Campus provides automatic access control based on terminal identification results. This reduces the configuration workload for administrators.
Terminal Identification Method
Terminal identification methods include passive fingerprint-based identification as well as active scanning and identification, as shown in Figure 1-16.
- Passive fingerprint-based identification: Network devices collect fingerprints of packets sent by terminals and report the fingerprints to iMaster NCE-Campus. iMaster NCE-Campus then automatically matches the fingerprints against the built-in fingerprint database to identify terminal types. Using this method, terminals are identified through MAC organizationally unique identifier (OUI), HTTP User Agent, DHCP option, LLDP, or multicast DNS (mDNS).
- Active scanning and identification: iMaster NCE-Campus actively detects or scans terminals, and identifies terminal types based on feedback information sent by the terminals. Using this method, terminals are identified through SNMP query or network mapper (Nmap).
Table 1-2 describes these terminal identification methods in detail.
Identification Method |
Description |
|---|---|
HTTP User-Agent |
A User Agent is a "string" — that is, a line of text — identifying the browser and operating system to the web server. The web server detects the User Agent string of the web browser on a terminal, so that it can send the adaptive web page content to the terminal. This solves the compatibility issue of web sites on different browsers. The User Agent string contains information such as the OS name, OS version, and CPU type. When a user accesses the web authentication page on a terminal to initiate identity authentication to the service controller, the service controller analyzes the User Agent string of the browser to identify the OS name and version of the terminal. |
DHCP option |
When terminals (DHCP clients) request IP addresses from a DHCP server for accessing the network, they obtain related parameters from the DHCP server. The parameters obtained from the DHCP server vary for different terminals. As a result, the terminals have their own characteristics. Common DHCP options include 55, 60, and 12. DHCP snooping must be enabled for access devices to report terminal information. |
MAC OUI |
A MAC address consists of six bytes. A MAC OUI is the leftmost three bytes of a MAC address and is the unique identifier of an organization. MAC OUIs are allocated to different organizations by the Institute for Electrical and Electronic Engineers (IEEE) and correspond to different network adapter manufacturers. Therefore, the leftmost three bytes of a terminal's MAC address basically determine the terminal manufacturer. |
mDNS |
mDNS enables hosts on a LAN to discover and communicate with each other without the presence of a traditional DNS server. mDNS runs on port 5353 by default. If the mDNS service is enabled on a host on a LAN, the host will multicast a message to all the other hosts on the LAN. The product information can be obtained from this message. mDNS snooping must be enabled for access devices to report terminal information. |
LLDP |
LLDP can be used to detect the status of Layer 2 links between devices on a network and analyze the network topology. After a device discovers the type of a neighbor for the first time or discovers neighbor type changes using LLDP, the device reports LLDP neighbor information to iMaster NCE-Campus to obtain terminal characteristics. This method applies to scenarios where LLDP-capable terminals are directly connected to Huawei access switches. By default, LLDP is enabled on Huawei access switches. Enable LLDP on Huawei access switches if this function is disabled. |
SNMP query |
Many device vendors develop SNMP-compliant devices, so that these devices can be managed by the NMS and the device running status can be queried on the NMS through SNMP. For example, the running status information reported by switches, routers, IP phones, and printers to the NMS generally includes the device name, device type, and device manufacturer name. The NMS can identify the devices by querying and analyzing their running status information. To enable iMaster NCE-Campus to identify devices through SNMP, the following conditions must be met:
|
Nmap |
Nmap is an open-source utility for network discovery and security auditing. It is mainly used for host discovery, port scanning, service version detection, and OS detection. By default, iMaster NCE-Campus does not support Nmap. After the Nmap plug-in is loaded, iMaster NCE-Campus can use Nmap to proactively identify terminals. For details about this method, see the Nmap Plug-in User Guide in iMaster NCE-Campus. |
Automatic MAC Address Authentication
Dumb terminals, such as printers, IP phones, and IP cameras, generally use MAC address authentication to access a network. When traditional MAC address authentication is used, the administrator needs to manually record the MAC address of each terminal on the authentication server, which is inefficient. Especially on large- and medium-sized campus networks, recording MAC addresses of numerous dumb terminals brings heavy workload.
Automatic admission based on terminal identification can solve this problem. The administrator can enable terminal identification and automatic admission on iMaster NCE-Campus and specify the types of terminals that require MAC address authentication in the admission policy and authorization policy. After a terminal connects to the campus network, iMaster NCE-Campus obtains the terminal information through terminal identification. If the terminal information matches a given authentication rule, iMaster NCE-Campus automatically records the terminal's MAC address in the background database used for MAC address authentication, and then automatically authenticates and authorizes the terminal. Figure 1-17 shows the details about the automatic MAC address authentication process.
