Locating Users on a Network

Using existing infrastructure, there is typically enough data available to accurately locate staff. Wireless networks provide a rough indication of location. Cabled infrastructure accurately shows who is sitting at individual desk locations.

You can also augment this with sensors as required. Sensors show desk usage and will need to fall back to Wi-Fi for staff location.

The Lookup Process:

1. Lookup the username or email address of the person in question (staff search)

2. Grab the device mappings for that user (as per the diagram above)

3. Check if any of those devices are plugged in to a switch port (or have a desk reserved)

4. If not, fall back to wireless lookup of username, email or wireless MAC address

Desk Locating Requirements

• Switch IP addresses

• SNMP or SSH service enabled on the switch (SSH preferred as it's easier to troubleshoot and secure)

• A list of switch ports to desk mappings

• A method for pairing staff to their devices

Most switches expose a SNMP service for locating details of port usage and the devices connected to each port. This is an common to most network hardware manufacturers. CISCO switches support SSH and PlaceOS supports for secure data transfer.

Laptop Docking Stations

Desk locating relies on device MAC addresses to identify staff as they move around a building. Docking stations often sit between the laptop and the switch. We need to ensure that the MAC address exposed by the docking station is unique to each staff member.

User Device Discovery

We automate the mapping of laptops and phones to staff.

This is a two step process.

1. Firstly we need to discover the IP addresses of the devices in use by a user

2. Once we have the IP address we need to find the associated MAC addresses

This maintains a mapping of MAC addresses to user accounts which can be used in conjunction with port usage to determine the location of users.

User Account To IP Address Mapping

There are multiple ways to obtain this information and these can be used simultaneously.

• Users connecting to the staff application

• Users logging on to their machines triggering an event on the Windows domain controller

• Users connecting to a file share or print server

• Custom tray application locating the logged in user, any IP address changes and associated MAC addresses

Windows Domain Controller

The Windows domain controller is used to authenticate users as they log onto a device. This would typically be a laptop, desktop computer or thin client.

File Share Or Print Server

Similar to the Windows domain controller method, audit logging can be enabled for file share access events.

IP Address To Mac Address Resolution

At this point we have a user account and an IP address. We need to lookup the MAC address associated with the IP address so we can associate the user to the MAC address / device.

• PlaceOS will communicate with the switches over UDP port 161 or TCP port 22

• The switches may communicate to PlaceOS over UDP port 162 (Not required for SSH connections)

Switch DHCP Snooping Table

We query DHCP snooping tables on level 2 switches as they maintain a list of DHCP allocated IP addresses and the MAC addresses of assigned devices.

If DHCP snooping is undesirable, DHCP Gleaning can be used instead.

Example PowerShell Scripts

It's possible to use additional events and modify scripts as required for security compliance.

Wireless Location

There are many methods for locating users on the wireless network and PlaceOS has integrations for various systems.

Depending on the wireless solution in place and it’s level of integration we may still need server notification scripts even in a wireless only environment.

• CISCO CMX for instance can provide usernames when users are connected to the wireless, if configured to do so.

• Microsoft FindMe will always provide a username

• Huawei provides raw RSSI values, IP and MAC addresses. PlaceOS manages floor fingerprinting and estimating location based on these values

Shared Desktop Configuration

For monitoring desktop computer usage, such as locating a computer in a call center, you need to capture log-off events. You can only get these from the machine itself.

Enable Auditing In

User Notification Script

Filename: user_ip.ps1

param (
    [Parameter(Mandatory=$true)][string]$ip,
    [Parameter(Mandatory=$true)][string]$username,
    [Parameter(Mandatory=$true)][string]$domain
)
$postParams = ConvertTo-Json @{module="LocateUser";method="lookup";args=@(,@($ip,$username,$domain))}
Invoke-WebRequest -Uri http://yourcompany.com/control/api/webhooks/trig-O6AXyP7jb5/notify?secret=f371579324eb56659b2f0b2c6f43d617 -Method POST -Body $postParams -ContentType "application/json"

Create An Action For The Event

1. Create a basic task that runs an application (click through next in the wizard)

   • Program / Script: PowerShell

   • Arguments: -ExecutionPolicy Bypass -windowstyle hidden c:\aca-apps\user_ip.ps1 -ip $(ip) -username $(username) -domain $(domain)

2. Open Task Scheduler -> Event Viewer Tasks -> (task name)

3. Export the task

5. Delete the task

6. Import the edited task

<Triggers>
  <EventTrigger>

    <!-- Add this section: -->
    <ValueQueries>
      <Value name="ip">Event/EventData/Data[@Name='IpAddress']</Value>
      <Value name="username">Event/EventData/Data[@Name='TargetUserName']</Value>
      <Value name="domain">Event/EventData/Data[@Name='TargetDomainName']</Value>
    </ValueQueries>
    <!-- ================= -->
    <Subscription><!-- Filter on logon types --></Subscription>

  </EventTrigger>
</Triggers>