English
HomeBlogTerminal Identification

Terminal Identification

Posted on Apr 11, 2024 by
  Migelle
65

What Is Terminal Identification?

Terminal identification is a precise management technique utilized in campus network access. It involves analyzing and extracting terminal attributes from specific protocol packet digest fields to determine details such as terminal types and operating systems. By leveraging these characteristics, the campus network management system can execute digital representation and enforce security access controls on campus terminals. Terminal identification methods encompass passive fingerprint collection and proactive scanning.

Why Do We Need Terminal Identification?

With the proliferation and integration of ICT technologies like WLAN and IoT, enterprise network sizes are rapidly expanding, leading to a rise in the diversity and complexity of access terminal types. Within campus networks, access terminals encompass both smart devices (e.g., PCs and mobile phones) and non-smart devices (e.g., IP phones, printers, and IP cameras). Presently, terminal management in campus networks encounters the following challenges:

  • 1. Network Management Systems (NMS) can only exhibit the IP and MAC addresses of access terminals, lacking the capability to identify terminal types. Consequently, the NMS is unable to offer more nuanced visual management for network terminals.

  • 2. Various service configurations and policies are required for different terminal types post-access to the network. This necessitates administrators to manually set up different services and policies for each terminal type, complicating service deployment and operational procedures.

To address these issues, the terminal identification feature is introduced, offering diverse methods for terminal recognition. Within the Network Management System (NMS), users can access comprehensive details regarding terminals across the entire campus network, including their types and operating systems. With this information, precise management of terminals is achievable, such as implementing access authorization based on terminal types. For non-smart terminals like IP phones, printers, and IP cameras, which typically rely on MAC address authentication, automatic access can be granted based on terminal identification results, thereby reducing the administrative configuration burden.

What Are the Terminal Identification Methods?

Terminal identification methods include passive fingerprint collection and proactive scanning.

Passive Fingerprint Collection

Network devices capture the fingerprint of terminal packets and transmit it to the NMS, which subsequently compares it with the predefined fingerprint database to ascertain terminal types. In this process, terminals can be identified through various methods, including MAC Organizational Unique Identifier (OUI), HTTP User-Agent, DHCP Option, LLDP, and multicast DNS (mDNS).

Through MAC OUI

The MAC OUI, which stands for the leftmost three bytes in a MAC address, uniquely identifies an organization. These MAC OUIs are allocated to organizations by the Institute for Electrical and Electronics Engineers (IEEE).

However, terminal identification based on MAC OUIs is prone to inaccuracy. MAC information is associated with Network Interface Card (NIC) vendors. Since many terminals utilize a NIC chip provided by a different vendor, the vendor information obtained based on the MAC OUI may not necessarily correspond to the terminal's vendor information. Therefore, in terminal identification, MAC OUI-based methods are considered the last resort or should be complemented with other techniques.

Through HTTP User-Agent

Terminals can be identified based on the User-Agent field within HTTP packets, as the content of the User-Agent field varies depending on the terminal type. This approach is particularly effective for identifying PCs and mobile terminals, as the User-Agent field in HTTP packets transmitted by these terminals during website access via a browser typically contains comprehensive terminal details, including terminal type, operating system, vendor, and browser type.

There are two methods available for obtaining User-Agent information:

  • Extracting the information from the Portal server: During Portal authentication, the Portal server retrieves the User-Agent information.

  • Reporting the information from the device: During Portal authentication, the device sends the information to the NMS.

Through DHCP Option

Terminal types can be determined by examining options included in DHCP messages, such as:

  • Option 55 (requested parameter list)

  • Option 60 (vendor id)

  • Option 12 (host name)

Compared to alternative methods, terminal identification via DHCP options is more precise and particularly suitable for identifying terminals that dynamically acquire IP addresses.

Through LLDP

The Link Layer Discovery Protocol (LLDP) establishes a standardized approach for Ethernet network devices, such as switches, routers, and WLAN access points (APs), to announce their presence to neighboring devices and retain discovery details about these neighboring devices. This protocol can transmit comprehensive device information, encompassing device configurations and identification.

By leveraging LLDP or Cisco Discovery Protocol (CDP), device information like the device's operating system, software version, and description can be obtained, enabling the identification of terminal types based on this collected information.

Through mDNS

mDNS facilitates LAN hosts to discover and communicate with each other independently of a conventional DNS server.

mDNS typically operates on port 5353. When enabled on a LAN-hosted device, it multicasts a message containing its name and IP address to all other hosts on the LAN. Subsequently, other mDNS-enabled hosts respond with their respective names and IP addresses.

Presently, numerous terminals and Linux devices support the mDNS service, allowing for their identification using this protocol. The identification process involves network devices capturing the service type attributes of mDNS packets and relaying them to the campus NMS, which then performs terminal type identification based on these attributes.

Proactive Scanning

The campus NMS employs proactive detection or scanning of terminals and identifies terminal types using feedback information from the terminals. Terminals can be identified in this scenario through SNMP queries or network mapping tools like Nmap.

Through SNMP Query

The campus NMS proactively retrieves MIB information from terminals and identifies them based on the data obtained through SNMP MIB objects. Commonly used MIB objects for terminal identification include sysDescr and hrDeviceDescr.

  • sysDescr: Provides fundamental system details.

  • hrDeviceDescr: Offers terminal description, encompassing the manufacturer, model, and optionally, the serial number.

Through Nmap

Nmap, an open-source network exploration and security auditing tool, is primarily utilized for tasks such as host discovery, port scanning, service version identification, and operating system detection.

Nmap's operating system detection feature identifies the operating system and device types of target hosts. It achieves this by analyzing the TCP/IP protocol stack fingerprint. Since the RFC doesn't specify a standard TCP/IP implementation, variations in TCP/IP implementations exist across different solutions. Nmap identifies operating system types primarily by analyzing these differences. Below outlines the implementation of proactive scanning:

  • Nmap utilizes a fingerprint database containing the characteristics of over 5600 known systems as a reference for comparing fingerprints.

  • Nmap selects an open and a closed port, transmits a meticulously crafted TCP, UDP, or ICMP data packet to these ports, and then generates a system fingerprint based on the responses received.

Nmap compares the generated fingerprint with those stored in its database to determine the corresponding operating system and device type.

Nmap offers terminal identification through proactive scanning. This method does not necessitate support from networking infrastructure or devices but may result in slower identification speeds.

The Practical Applications of Terminal Identification

Terminal Visualization

In network terminal management and operations and maintenance (O&M), administrators can utilize the campus NMS to visualize terminal types and operating systems across the entire network. This includes the identification of dumb terminals like printers, IP cameras, and access control systems, enabling refined management practices. Through the campus NMS, administrators can gather statistics based on terminal types and analyze and manage traffic data effectively.

Differentiated Terminal Policies

In certain scenarios, administrators may require distinct policies for various types of terminals. For instance, different access rules can be set for mobile phones and PCs. For example, mobile phones may be limited to internet access only, while PCs may have access to both the intranet and internet.

Administrators can activate terminal identification on the RADIUS server, which supports terminal recognition, and define authorization policies according to terminal types. Upon network access, the RADIUS server automatically identifies the terminal type and assigns an appropriate authorization policy accordingly. This facilitates the implementation of varied terminal policies based on terminal types.

Terminal Plug-and-Play

Within a campus network, access terminals encompass both smart devices (e.g., PCs and mobile phones) and dumb devices (e.g., IP phones, printers, and IP cameras). Varied terminal types necessitate diverse network service configurations and policies. Manual collection of MAC addresses for dumb terminals and configuration of services such as VLANs for each terminal type by administrators can complicate service deployment.

By activating terminal identification on the RADIUS server, which supports terminal recognition, administrators can define access and authorization policies based on terminal types. Upon a terminal's online connection, the RADIUS server automatically discerns the terminal type and assigns the corresponding automatic access and authorization policies, facilitating seamless plug-and-play functionality for terminals.

Tags

You might be interested in

See profile for undefined.
FS Official
CloudWAN
See profile for undefined.
FS Official
NETCONF
See profile for undefined.
FS Official
Microsegmentation
News Letter
Videos
FS Same Day Shipping Ensures Your Business Success
01:28
Nov 20, 2023
652
FS Same Day Shipping Ensures Your Business Success
Recent Trend
Cloud-based Networks Grow with Your Business

Cloud-based Networks Grow with Your Business

Anchor Your Hybrid Cloud Networking Strategy

Anchor Your Hybrid Cloud Networking Strategy

Hot Tags
Popular
FS.com About FS FS APP Contact Privacy Terms