What Is Terminal Identification?

Fingerprint identification

The core technology of fingerprint identification is the construction of the terminal fingerprint database. A terminal fingerprint is a set of feature information that uniquely identifies a terminal (such as a computer or mobile phone). Multidimensional data, including device hardware, software, and network configuration, is collected to generate a unique identifier, which is commonly used in scenarios such as security verification, user tracking, and anti-fraud.

A terminal fingerprint consists of the following elements. The terminal fingerprint types supported by the campus solution are listed in the following table.

• Hardware features: device model, CPU/GPU information, MAC address, and screen resolution
• Software features: operating system type and version, browser type and plug-in, font list, time zone, and language settings
• Network features: IP address, DNS configuration, proxy information, and network delay
• Behavior features: operation habit (such as mouse moving tracks) and application usage mode

The following figure shows the process of identifying terminals through fingerprint matching in the campus solution. Specifically, a network device collects terminal fingerprints and reports them to iMaster NCE-Campus. iMaster NCE-Campus then matches the fingerprints against customized rules or its built-in terminal fingerprint database to identify the types of known terminals, and automatically infers the types of unknown terminals, thereby achieving accurate terminal identification.

Process of identifying terminals through fingerprint matching

1. When a terminal accesses a network, the exchange of various protocol packets, such as DHCP and LLDP packets, is triggered.
2. The device collects the protocol packets initiated by the terminal as terminal fingerprints.
3. The device reports the fingerprints to iMaster NCE-Campus. In addition to the fingerprint information reported by the device, iMaster NCE-Campus can obtain the terminal fingerprint information contained in authentication packets when the terminal authenticates with iMaster NCE-Campus.
4. iMaster NCE-Campus automatically matches the terminal fingerprint information against its terminal fingerprint database to identify the terminal type.
5. iMaster NCE-Campus displays the terminal identification result.

Scanning-based Identification

Scanning-based identification determines the type of a terminal based on its response. This method includes proactive scanning by both network devices and iMaster NCE-Campus. iMaster NCE-Campus supports scanning-based identification through SNMP and Nmap.

• Scanning-based identification by network devices

  This method allows a network device to scan terminals for terminal identification. Specifically, the network device proactively sends probe packets to terminals and identifies them based on their responses. The identification information includes the terminal type, vendor, and model.

• Scanning-based identification through SNMP

  This method relies on the exchange of SNMP packets. By reading identification parameters from the target device's Management Information Base (MIB), the NMS obtains hardware, software, and configuration information to determine the terminal type. To facilitate effective management of their own devices through the NMS, many device vendors develop SNMP-compliant devices. This also allows the device running status to be queried on the NMS through SNMP. For example, devices such as switches, routers, IP phones, and printers typically include information such as the device name, device type, and manufacturer name in the running status reported to the NMS. By querying and analyzing such status information, the NMS can identify the device types.

• Scanning-based identification through Nmap (requiring an additional Nmap plug-in)

  This method relies on proactive network probing and behavioral characteristics analysis. The system sends probe packets to target devices and analyzes their characteristics based on response packets to infer their operating systems, service versions, and possible device types. The following describes the identification principles:

  1. Nmap sends specially crafted TCP/IP packets (such as SYN, ACK, and ICMP packets) to trigger responses from the target device. Differences in protocol-stack implementations across operating systems and devices—such as initial sequence number generation rules, window sizes, and TTL values—form unique signatures. These signatures are then matched against a built-in fingerprint database (such as nmap-os-db) to identify the operating system types and versions.
  2. Nmap scans the open ports (such as TCP ports 80 and 443) of the target device to determine the types of services that may be running (such as HTTP servers and databases) on the device.
  3. After establishing a connection with a port, Nmap extracts banner information (such as HTTP headers and SSL certificates) returned by the service or simulates protocol interactions (such as SSH handshakes) to determine the service name and version.

Flow Information Identification

Network devices collect 5-tuple information (source IP address, source port, destination IP address, destination port, and protocol) of each flow, pre-process the data locally, and report the processing result as fingerprints to iMaster NCE-Campus for AI-based identification.

AI-based Identification

• AI clustering-based identification

  For unidentified terminals, the K-means algorithm is used to classify their multi-dimensional fingerprints. Terminals with high fingerprint similarity that reaches the threshold are grouped into the same cluster.

  Devices of the same model typically have high similarity in their protocol fingerprint data, whereas devices of different models or types have low similarity. First, identifiable terminals are distinguished from unidentified ones based on fingerprint similarity and the prior knowledge database. Then, the unidentified terminals are clustered based on fingerprint similarity again. Users label the category of each cluster, and once a cluster is labeled, all terminals within that cluster can be identified.

  
  AI clustering-based identification process

  The following figure shows how the AI clustering algorithm works. High-weight fingerprints are used first for clustering, after which other fingerprints are incorporated to refine the results. The following fingerprints are listed in descending order of clustering priority: flow information > TCP/UDP ports > LLDP = User-Agent = DHCP Option = mDNS = OS protocol > OUI.

  
  AI clustering algorithm

  The AI clustering process is as follows:

  1. The system computes the similarity between the fingerprints of an unidentified terminal and all AI rule fingerprints. A similarity above 40% is considered a successful match. If the similarity is higher than the minimum similarity or 70%, it is high. If the similarity is between 40% and the minimum similarity, it is low.
  2. If high-similarity candidates exist, the system chooses the one with the highest similarity as the final identification result (AI high similarity). If multiple candidates share the highest similarity, the system chooses the one with the highest priority (smallest priority value).
  3. If no high-similarity candidates exist, the system applies the same selection logic to the low-similarity candidates to determine the final identification result (AI low-similarity).
• AI inference-based identification

  For unidentified terminals, the system uses the K-NN algorithm to compute the similarity between their fingerprints and previously labeled fingerprints. If the similarity reaches the predefined threshold, the terminal is considered to be of the same type as the labeled terminals and is automatically assigned to the corresponding terminal group.

  
  AI inference-based identification process

Terminal Plug-and-Play

On a campus network, access terminals include smart terminals (such as PCs and mobile phones) and dumb terminals (such as IP phones, printers, and IP cameras). Different types of terminals require different network service configurations and policies. Administrators need to manually collect MAC addresses of dumb terminals for access authentication and configure services such as VLANs for each terminal type, complicating service deployment.

Administrators can enable terminal identification on the RADIUS server that supports terminal identification and specify access and authorization policies based on the terminal type. When a terminal goes online, the RADIUS server automatically identifies the terminal type and delivers the corresponding automatic access policy and authorization policy to implement plug-and-play of the terminal.

Automated access based on the terminal type

Terminal Visualization

During network terminal management and O&M, administrators can view terminal types and operating systems across the entire network through the campus NMS, such as dumb terminals including printers, IP cameras, and access control systems, to implement refined management.

Through the campus NMS, administrators can collect terminal type-based statistics and analyze and manage traffic data.

Terminal type-based statistics collection and traffic data analysis and management

Differentiated Terminal Policies

In some scenarios, administrators want to enforce different policies on different types of terminals. For example, different access policies can be configured for mobile phones and PCs. Mobile phones can access only the Internet, while PCs can access both the intranet and Internet.

Administrators can enable terminal identification on the RADIUS server that supports terminal identification and specify authorization policies based on the terminal type. When a terminal accesses the network, the RADIUS server automatically identifies the type of the terminal and delivers a corresponding authorization policy accordingly. This helps implement differentiated policies for different types of terminals.

Authentication and authorization based on the terminal type

Terminal Anti-Spoofing

Dumb terminals typically access the network through low-security methods such as IP address whitelisting or MAC address authentication, and often lack periodic virus scanning and removal capabilities. Therefore, unauthorized terminals can easily spoof the IP or MAC addresses of authorized terminals to launch attacks on the network. If the type of a terminal with a certain MAC address suddenly changes, for example, from a camera to a laptop, there is a high possibility that the terminal has been spoofed.

Unauthorized Terminal Access Prevention

In dormitories and labs, students may connect unauthorized hubs and unauthorized routers to the campus network for Internet access, which threatens the network security and bypasses accounting by carriers. Meanwhile, as enterprises have increasing requirements for mobile office and terminal access types become more and more complex, employees' unauthorized hotspots and router access pile pressure on enterprise network O&M and increase the risk of enterprise information leakage. Unauthorized access prevention applies to the following scenarios:

• Unauthorized hub access: For convenient Internet access, students and enterprise employees connect unauthorized hubs to the network and then connect unauthorized terminals to these hubs, complicating network O&M and management.
• Unauthorized router access: For convenient Internet access, students and enterprise employees connect unauthorized routers to access switches or APs and share accounts for Internet access.
• Wi-Fi sharing: For information security, organizations such as governments and financial institutions forbid wireless networks from being established on their intranets. However, some office staff, for personal convenience, may share the network through wireless Wi-Fi for use by devices such as personal mobile phones. This will expose the intranet to attackers, who can easily intrude into the intranet environment and cause losses to the organizations.

Unauthorized terminals can be identified in the following ways:

• Terminal identification: Administrators can configure access control rules for unauthorized terminals that are discovered through terminal identification to block or unblock these terminals.
• Device reporting: Devices configured with unauthorized access detection automatically detect unauthorized terminals and report alarms to iMaster NCE-Campus, through which administrators can block or unblock the terminals.