This means that they exchange auth/acc messages between the APs that must contain information on user classification. Given that info, we could, normally, redirect accounting messages to another server and use it as user identification.
In fact, Aerohive sends a standard accounting packet that has two vendor specific parameters.These parameters look in WireShark as:
AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
VSA: l=6 t=Unknown-Attribute(1): 00000001
Unknown-Attribute: 00000001
and
AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
VSA: l=6 t=Unknown-Attribute(6): 00000ffc
Unknown-Attribute: 00000ffc
One of these parameters, the second one, is of a particular interest to us.
In hex it looks like this: 1a 0c 00006930 06 06 00000ffc
Where:
- 1a 0c => Vendor specific attribute
- 00006930 => Vendor is Aerohive
- 06 => sub-type is Aerohive-User-Profile-Attribute
- 00000ffc => UPID value
A detailed Aerohive dictionary file that can be used in WireShark looks like this:
# -*- text -*-
#
# The Aerohive Vendor-Specific dictionary.
#
#
VENDOR Aerohive 26928
BEGIN-VENDOR Aerohive
ATTRIBUTE Aerohive-User-Vlan 1 integer
ATTRIBUTE Aerohive-Libsip-Patron-Info 3 octets encrypt=2
ATTRIBUTE Aerohive-Libsip-Action 4 integer
ATTRIBUTE Aerohive-Libsip-Additional-Message 5 octets
ATTRIBUTE Aerohive-User-Profile-Attribute 6 integer
ATTRIBUTE Aerohive-PPSK-Request 201 octets
ATTRIBUTE Aerohive-PPSK-PMK 202 octets
ATTRIBUTE Aerohive-IDM-Message 203 integer
ATTRIBUTE Aerohive-NT-Identity 204 integer
#
# Integer Translations
#
# Aerohive-Libsip-Action Values
VALUE Aerohive-Libsip-Action Permit 0
VALUE Aerohive-Libsip-Action Restricted 1
VALUE Aerohive-Libsip-Action Deny 2
END-VENDOR Aerohive
No comments:
Post a Comment