IoT Profiling Phase 1 – Inventory (from OV 4.4R2)
Support of External Signature Profile database thanks to a Profiling API
No Support of enforcement based on device profiling in this phase
Device information will be collected and put in inventory for analytics
‘Profiling data’ is the fingerprinting data that is required for OV to run with fingerbank cloud for device categorization, it does include MAC OUI, DHCP fingerprints, list of HTTP user-agents
‘Network context’ defines WHO (as in client MAC, IP address) and Where (it is connected) information.
We also bring AG context (UNP)
Connection lost with OV
When connection to broker is lost (network issue, OV going down), Switch/AP will detect that MQTT endpoint is down. Whenever they detect that the broker is reachable again, they will send a Report of all the endpoints at that time, in this way OV can catch up with the Endpoint inventory and also inform the switch about the categorization of these endpoints
This feature shall work when a device contains 1000s MAC Address entries
To avoid flooding to OV, Report shall be sent only when link is down more than 15 minutes, Updates should be used to sync switch and OV
Also, Report should be sent by switch/AP randomly and not at the same time
IoT Profiling Phase 2 – Enforcement (from OV 4.5R1)
In the Network -> IoT -> Enforcement page, admin can associate a Category with an Access Role Profile
Once the device accesses the network and is categorized, the assigned Access Role Profile is applied to device and takes precedence over the previous authentication (MAC Classification, 802.1x, LDAP Role mapping)
We can associate different Access Role Profiles with different categories, and we can enable automatic or manual enforcement categories (see KCS article 000058847)
Prerequisites for IoT Enforcement: the Access Role Profile must exist on the device’s configuration, go to Template -> Access Role Profile to configure and assign a new ARP to devices
Supported use cases for OV Enforcement:
- No authentication (locally classified/default-profile user), client will be learnt under default profile, if OV enforcement is done, will get highest priority and client will move to enforced profile if it exists on switch, else client will remain in default profile
- MAC authentication (Pass/Fail)
- 802.1X authentication (OV UNP enforced only for 1x Pass, but not for 1x Failed users), only if the 802.1X authentication succeeds, the client will move to enforced profile if it exists on switch, else client will remain in initial profile
- For user in CP built-in/LTP Unauthorized (i.e; OV-enforced UNP would be applied even for the users who are learnt in restricted role)
- Even for users in redirect role (BYOD case- Profile and Redirect-URL received from UPAM/CPPM), the OV enforcement also take precedence and nullify the redirect role.
Architecture
We only focus on the MQTT messages received from network devices that contain IoT devices fingerprints. Then data is sent by HTTPs API to Fingerbank, the cloud application used to profile and categorize the device.
Limitations:
- IoT Profiling feature is not supported on Stellar AP 1101
- IPv6 devices are not supported
- L3 HA is not supported
- AOS 8.6 R01 – Endpoint session Start time is not updated for subsequent sessions due to device issue
- AOS 8.6 R01– device profiling on device conflict with Sflow configuration and do not work fine if both are enabled
- AOS CLI command “device-profile auto-unp-assignment” is incompatible with OV IoT Enforcement and must not be added
- IoT Enforcement is not supported for 802.1x supplicant devices prior to AOS 8.7R01
Versions supported:
AWOS 3.0.7, AOS 8.6 and above
How to configure IoT Profiling
In order to enable the IoT Profiling, go to Discovery -> Managed Devices, select one or more devices and click on Enable Iot button:
If the device doesn’t support IoT Profiling, message “one or more devices that do not support IoT feature were removed from your selection”
When IoT Profiling is enable on a switch, the command device-profile admin-state enable is pushed in global settings and only on UNP Ports.
For fixed ports (mean not UNP Port), we have to enter the CLI command:
device-profile port 1/1/10 admin-state enableCaution: to have IoT Profiling working for IPTouch, we need to disable qos autophones:
qos no phonesTips: Check if IoT is enabled on device (OV -> Administration -> Audit -> iot-service.log)
Enable on Stellar AP
[INFO] [Thread-25]-[com.alu.ov.ngnms.iot.services.impl.IoTAsyncProcessorImpl] Apply IoT Service command to AP device dc:08:56:0a:31:50
[INFO] [Thread-25]-[com.alu.ov.ngnms.iot.services.deviceinteractor.APInteractor] Send IoT Service Command to WMA: dc:08:56:0a:31:50
[INFO] [Thread-25]-[com.alu.ov.ngnms.iot.services.deviceinteractor.APInteractor] Apply IoT Service command to AP dc:08:56:0a:31:50 successfullyEnable on OmniSwitch AOS 8.x
[INFO] [Thread-26]-[com.alu.ov.ngnms.iot.services.impl.IoTAsyncProcessorImpl] Apply IoT Service command to AOS device 192.168.20.236
[INFO] [Thread-26]-[com.alu.ov.ngnms.iot.services.deviceinteractor.SwitchesInteractor] Connected to device 192.168.20.236
[INFO] [Thread-26]-[com.alu.ov.ngnms.iot.services.deviceinteractor.SwitchesInteractor] Execute command on device: appmgr stop ams-apps iot-profiler; appmgr start ams-apps iot-profiler -args -h 10.130.7.15 -p 1883 -u system -P manager -q 2 --disable-clean-session --cafile /flash/switch/ca.d/certs.pem --insecure; appmgr commit
[INFO] [Thread-26]-[com.alu.ov.ngnms.snmp.util.V3SnmpFactory] Create new V3 Snmp instance for localhost/127.0.0.1
[INFO] [Thread-26]-[com.alu.ov.ngnms.snmp.connection.NodeSnmpManagedConnection] Send SNMP-SET with oid: 1.3.6.1.4.1.6486.801.1.2.1.94.1.1.1.1.0 = 1When IoT is enabled, IoT Profiler component sends information received from Data Processor in order to receive fingerprinting details
api.fingerbank.org must be authorized by Firewall/Proxy on-premises
No input/action required, OV will automatically contact the Fingerbank
With cliadmin account -> Advanced mode you can check if fingerbank is answering:
[chrootadmin@ovlaunching ~]$ curl -v https://api.fingerbank.org
* About to connect() to api.fingerbank.org port 443 (#0)
* Trying 35.196.72.95...
* Connected to api.fingerbank.org (35.196.72.95) port 443 (#0)OV doesn’t use the Device Profiling on AOS, OV uses the FingerBank only to profile the endpoints
show device-profile summary won’t return valid outputs
When an endpoint is profiled, there is a new entry in the Network -> IoT -> Inventory
Status of the endpoint could be Active, offline or Error (incorrect PDUs received from device and OV cannot determine endpoint status or 802.1x authentication failed)
How to configure IoT Enforcement
Step1: use built-in categories or create a custom category in Network -> IoT -> Category page
Step2: create the Access Role Profile in Unified Access -> Template -> Access Role Profile and apply to devices
Step3: in Network -> IoT -> Enforcement
- if Automatic Enforcement is set to On, enforcement is enabled on all categories where an Access Role Profile is defined. To apply an enforcement, edit the Access Role Profile of the selected Category and Click OK
- if Automatic Enforcement is set to Off (Manual Enforcement), enforcement is disabled by default. First associate the Access Role Profile to the Category, then click on Enable Enforcement (important to follow this order)
How works the profiling:
The signature database is on Fingerbank only. Switch/APs send information about endpoints to OV. As the endpoint performs more operations (like website access), switch/AP learn more fingerprints about the endpoint and keep informing OV about the additional fingerprints received.
As OV receives fingerprints of endpoint, it queries Fingerbank to profile the device. More comprehensive the fingerprint is, more accurate the Categorization would be.
Troubleshooting tips: An UI Debug flag is available in order to display the DHCP Fingerprinting / DHCP Vendor ID, User Agents used
Type this in browser address bar and hit enter key “twice”: https://<OV_IP_Address>/#/dashboard?debugMode=true . You need to load this URL twice. Then navigate to IoT Inventory -> Profiling Data
This is displaying the fingerprints received from Switch/AP for the endpoint. These are the fingerprints sent to Fingerbank to query the Category, Manufacturer, Endpoint Name
Troubleshooting logs on OV
Go to Administration -> Audit -> all current logs -> iot-inventory logs
New endpoint MQTT message:
Msg=Type--IoTEndpointNew { "type": "IoTEndpointNew", "deviceMac": "DC:08:xx:xx:31:50", "timeStamp": 1570195788000, "data": { "00:80:xx:xx:06:B0": { "ip": "192.168.104.52", "profData": { "opt55": "1,3,6,12,15,28,42,43,66,60,61", "opt60": "alcatel.noe.0", "userAgents": [ ], "hosts": [ ] }, "networkContext": { "port": "eth3", "vlan": 261, "portType": 2, "portDesc": "IPTouch_access" }, "agContext": { "authType": 0, "authStatus": 0, "connError": 0, "unpType": 1, "unp": "IPTouch", "policyList": "" } } } }Request/answer OV – FingerBank:
request by IoTFingerBankData{macAddress='00:80:xx:xx:06:b0', deviceMac='dc:08:56:0a:31:50', opt55='1,3,6,12,15,28,42,43,66,60,61', opt60='alcatel.noe.0', userAgents=null, hosts=null}
result from fingerBank: IoTFingerBankResult{score=73, deviceHierarchy='VoIP Device/Alcatel IP Phone/Alcatel OmniTouch', version='', manufactureName='ALE International'}Categorization:
send request to category rule engine [VoIP Device/Alcatel IP Phone/Alcatel OmniTouch]MQTT message type:
- IoTEndpointNew => new endpoint profiling
- IoTEndpointUpdate => update of the fingerprinting data with user-agents (HTTPS exchanges) contents
- IoTEndpointNewError => this identifies the reason why the endpoint failed to connect to the nework. 1: 802.1x authentication failure – invalid certificate 2: 802.1x authentication failure – invalid credentials 3: 802.1x authentication timeout 4: MAC Authentication failure 5: MAC Authentication timeout 10: DHCP Timeout 33: PSK authentication failure
- IoTEndpointDelete = device disassociate / disconnected and put in offline status
Troubleshooting logs on switch
OS6860 -> show device-profile catalog
Legend: * indicates .Unknown/Un-cataloged. devices
Port/LAGG Device Type Device Name Mac-Address IP Address State TimeStamp Initial TimeStamp Most-Recent
----------+-------------------------------+--------------------------------+-------------------+---------------+------+---------------------+----------------------
*1/1/5 - - 00:80:9F:EA:7C:15 192.168.103.51 UP 2019-10-08 10:31:15 2019-10-10 15:48:23
*1/1/10 - - F8:CA:B8:18:E6:66 10.130.7.56 UP 2019-10-09 15:39:12 2019-10-10 14:52:52
OS6860 -> show device-profile catalog unknown
Port/LAGG Mac-Address DHCP VCI (Option 60) DHCP Option 55 Mac-Vendor
----------+-------------------+----------------------------------------------+----------------------------------------------+--------------------
1/1/5 00:80:9F:EA:7C:15 alcatel.noe.0 1,3,6,12,15,28,42,43,66,60,61 ALE International
1/1/10 F8:CA:B8:18:E6:66 MSFT 5.0 1,15,3,6,44,46,47,31,33,121,249,43 Dell Inc.Manufacturer information is get from the MAC OUI
Check if IoT Profiler is started and connected to OV:
OS6860 -> appmgr list
Legend: (+) indicates application is not saved across reboot
Application Status Package Name User/Group Status Time Stamp
---------------+---------+-------------------+---------------------+---------------------
iot-profiler started ams-apps admin/user Oct 10, 2019: 13:30:08
OS6860 -> su
Entering maintenance shell. Type 'exit' when you are done.
SHASTA #-> ams_debug
Broker 143.209.0.2:1883
ID : 1
QoS : 2
Status : connected
Tx pkts : 15
Rx pkts : 0
Queued Tx pkts : 0/100
Clients summary:
Client 10:
Tx pkts : 15
Rx pkts : 0
In IoT profiling is enabled but Status is not connected, see logs cat /flash/dpagent.log:
PM dpagent INFO: sqlite_database_init(1048): Open DB successfully
PM dpagent INFO: init_mqttAgent_connection(260): init_mqttAgent_connection
PM dpagent INFO: init_mqttAgent_connection(260): Connect to MQTT-AGENT success <socket.socket fd=9, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('127.10.1.65', 35233), raddr=('127.10.1.65', 41601)>Check if IoT enforcement is done (example of MAC Authentication done over UPAM with initial ARP profile_step1 and OV Enforcement with final ARP profile_step2):
6860-> show unp user details port 1/1/14
Port: 1/1/14
MAC-Address: b0:a7:xx:xx:xx:d6
SAP = -,
Service ID = 0,
VNID = 0 ( 0. 0. 0),
VPNID = 0 ( 0. 0. 0),
ISID = 0,
Access Timestamp = 05/05/2020 16:04:24,
User Name = b0:a7:xx:xx:xx:d6,
IP-Address = -,
Vlan = 128,
Authentication Type = Mac,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 192.168.1.52,
Authentication Server Used = UPAMRadiusServer,
Server Reply-Message = -,
Profile = profile_step2,
Profile Source = OV Enforced UNP,
Profile From Auth Server = profile_step1,Logs to collect if OV Enforcement does not work:
show unp user
show unp user details
show mac-learning
swlog appid agcmm subapp all level debug1
swlog appid mqttd subapp all level debug3
show log swlogTroubleshooting logs on Stellar AP
Check if IoT Profiling is enabled:
cat /var/config/iot.conf
{
"IoTService":{
"iotStatus":"Enable"
}Check fingerprints:cat /var/log/iot.log
DHCP Fingerprint: iot_netlink.c:154:Receive tid message:opt_55:1,3,6,15,26,28,51,58,59,43 opt_60:android-dhcp-9Check OV Enforcement:tail -f /var/log/iot.log
iot_ins.c|709: Receive enforment message:{"timeStamp":2147483647,"endpoint":"34:42:xx:xx:xx:74","deviceCategory":"Corporate_Mobile","deviceName":"Apple OS","accessRoleProfile":"profile_2"}
iot_ins.c|555: iot_enforcement enforceType = 0, iot_wammsg_send accessrole Proflie=profile_2 , mac=34:42:xx:xx:xx:74sta_list command output:
STA_MAC IPv4 IPv6 OnlineTime RX TX FREQ AUTH Final_role VLANID TUNNELID FARENDIP
34:42:xx:xx:xx:74 0.0.0.0 14 3112