Locating Users on a Network
Locating users on a network with PlaceOS
Using existing infrastructure, there is typically enough data available to accurately locate staff. Wireless networks provide a rough indication of location. Cabled infrastructure accurately shows who is sitting at individual desk locations.
You can also augment this with sensors as required. Sensors show desk usage and will need to fall back to Wi-Fi for staff location.
- 1.Lookup the username or email address of the person in question (staff search)
- 2.Grab the device mappings for that user (as per the diagram above)
- 3.Check if any of those devices are plugged in to a switch port (or have a desk reserved)
- 4.If not, fall back to wireless lookup of username, email or wireless MAC address
- Switch IP addresses
- SNMP or SSH service enabled on the switch (SSH preferred as it's easier to troubleshoot and secure)
- A list of switch ports to desk mappings
- A method for pairing staff to their devices
Most switches expose a SNMP service for locating details of port usage and the devices connected to each port. This is an industry standard common to most network hardware manufacturers. CISCO switches support SSH and PlaceOS supports SSHv2 for secure data transfer.
Desk locating relies on device MAC addresses to identify staff as they move around a building. Docking stations often sit between the laptop and the switch. We need to ensure that the MAC address exposed by the docking station is unique to each staff member.
All commercial docking solutions offer a method for passing on a unique MAC, or do this by default. Two of the more common docking solutions are HP (BIOS or EFI configuration) and Displaylink USB docks (Dell, Lenovo, Fujitsu, Targus, Kensington, HP and Toshiba among others).
Display Link provides a PowerShell script to automate the configuration which can be deployed via SCCM.
We automate the mapping of laptops and phones to staff.
This is a two step process.
- 1.Firstly we need to discover the IP addresses of the devices in use by a user
- 2.Once we have the IP address we need to find the associated MAC addresses
This maintains a mapping of MAC addresses to user accounts which can be used in conjunction with port usage to determine the location of users.
User Account To IP Address Mapping
There are multiple ways to obtain this information and these can be used simultaneously.
- Users connecting to the staff application
- Users logging on to their machines triggering an event on the Windows domain controller
- Users connecting to a file share or print server
- Custom tray application locating the logged in user, any IP address changes and associated MAC addresses
Windows Domain Controller
The Windows domain controller is used to authenticate users as they log onto a device. This would typically be a laptop, desktop computer or thin client.
By auditing credential validation events it's possible to query these logs to inform PlaceOS of the user account and the corresponding IP address associated with the event.
File Share Or Print Server
Similar to the Windows domain controller method, audit logging can be enabled for file share access events.
At this point we have a user account and an IP address. We need to lookup the MAC address associated with the IP address so we can associate the user to the MAC address / device.
- PlaceOS will communicate with the switches over UDP port 161 or TCP port 22
- The switches may communicate to PlaceOS over UDP port 162 (Not required for SSH connections)
Switch DHCP Snooping Table
We query DHCP snooping tables on level 2 switches as they maintain a list of DHCP allocated IP addresses and the MAC addresses of assigned devices.
If DHCP snooping is undesirable, DHCP Gleaning can be used instead.
This covers the basics of user discovery using a domain controller. A third-party machine can be configured to query server logs remotely - see the detailed scripts for how this is achieved
It's possible to use additional events and modify scripts as required for security compliance.
There are many methods for locating users on the wireless network and PlaceOS has integrations for various systems.
Depending on the wireless solution in place and it’s level of integration we may still need server notification scripts even in a wireless only environment.
- CISCO CMX for instance can provide usernames when users are connected to the wireless, if configured to do so.
- Microsoft FindMe will always provide a username
- Huawei provides raw RSSI values, IP and MAC addresses. PlaceOS manages floor fingerprinting and estimating location based on these values
For monitoring desktop computer usage, such as locating a computer in a call center, you need to capture log-off events. You can only get these from the machine itself.
This is a simplified overview of data extraction from auditing events
This script can be modified to filter notifications for a subset of users, such as those in a specific domain or IP range.
Filename:
user_ip.ps1param (
[Parameter(Mandatory=$true)][string]$ip,
[Parameter(Mandatory=$true)][string]$username,
[Parameter(Mandatory=$true)][string]$domain
)
$postParams = ConvertTo-Json @{module="LocateUser";method="lookup";args=@(,@($ip,$username,$domain))}
Invoke-WebRequest -Uri http://yourcompany.com/control/api/webhooks/trig-O6AXyP7jb5/notify?secret=f371579324eb56659b2f0b2c6f43d617 -Method POST -Body $postParams -ContentType "application/json"
- 1.Create a basic task that runs an application (click through next in the wizard)
- Program / Script:
PowerShell - Arguments:
-ExecutionPolicy Bypass -windowstyle hidden c:\aca-apps\user_ip.ps1 -ip $(ip) -username $(username) -domain $(domain)
- 2.Open Task Scheduler -> Event Viewer Tasks -> (task name)
- 3.Export the task
- 4.
- 5.Delete the task
- 6.Import the edited task
<Triggers>
<EventTrigger>
<!-- Add this section: -->
<ValueQueries>
<Value name="ip">Event/EventData/Data[@Name='IpAddress']</Value>
<Value name="username">Event/EventData/Data[@Name='TargetUserName']</Value>
<Value name="domain">Event/EventData/Data[@Name='TargetDomainName']</Value>
</ValueQueries>
<!-- ================= -->
<Subscription><!-- Filter on logon types --></Subscription>
</EventTrigger>
</Triggers>
Last modified 1yr ago