I was recently at a customer site upgrading an Aruba controller and doing some basic WLAN "best-practices". During this I was asked by the customer if there was a way to keep mobile devices off the corporate network. Without something like Aruba's ClearPass it's not easy to identify and restrict these devices.
My initial thought was with their current solution (Microsoft NPS) they couldn't easily keep 802.1X capable devices from connecting to the corporate WLAN if they had valid AD credentials. Then as I was working it occurred to me that Aruba mobility controllers use DHCP fingerprinting to profile devices. I could leverage that ability to help keep mobile devices off the corp WLAN. It's not 100% accurate (and should not be considered a complete security solution), and I let the customer know this, but it identifies iOS and Android devices pretty well.
Essentially, a DHCP fingerprint is an "almost" unique identifier for OSes, or device types. The DHCP protocol (RFC 2132) allows for information other than just IP requests and acknowledgments to be sent. These DHCP "options" includes vendor specific information which makes it possible to identify devices and even OSes by their unique signature. That being the case we can use the fact that ArubsOS supports this to create roles for these various devices and OSes and thus provide some level of management of these devices.
For example, we can create a rule that says if a device is an iPhone it will be placed in the "Mobile_Device" role. This role can then be restricted to Internet only with no access to internal resources, placed in another VLAN, or just sandboxed altogether. Not the best overall solution, but it works well enough.
Step one is to identify the DHCP fingerprint for that specfic device. There are several ways to do this and a simple Google search will give you plenty of options. You can also search for the specific fingerprint as well and hopefully someone will have posted it. In this post we'll just focus on using Aruba OS to find the fingerprint. Here is a list I've compiled so far from various blog-posts and from the Aruba Airheads community.
Android 2.X 3c6468637063642034
Android 2.2 3701792103061c333a3b
Android 2.3.X 0c616E64726F69645F
Android 4.0.X 37012103060f1c333a3b
Android 4.0.X(2) 37012103061c333a3b
Blackberry 2 3C426C61636B4265727279
iOS Device 370103060F77FC
OS X 10.6 370103060f775ffc2c2e2f
OS X 10.7 370103060f775ffc2c2e
Win Mobile 3c4d6963726f736f66742057696e646f77732043450
Win Mobile6 370103060f2c2e2f