LogoLogo
OverviewDemos and ResourcesContact
  • What is Engine?
  • Key Concepts
    • Drivers
    • Modules
    • Systems
    • Zones
    • Settings
    • Interfaces
    • Triggers
  • Security
  • Deployment
    • System Architecture
    • Single Sign-On
      • Configuring Engine for SAML2
      • SAML2 with Azure AD
      • SAML2 with ADFS
      • SAML2 with Auth0
      • SAML2 with GSuite
      • OAuth2
  • Integrations
    • Supported Integrations
    • Directory Services
      • Microsoft Office365
    • IoT
      • Device Drivers
      • Node-RED
      • Azure IOT Hub
    • Location Services
      • Locating Users on a Network
      • SVG Map Creation
      • Cisco CMX
      • Cisco Meraki RTLS
      • Desk Sensors
  • Administration
    • Backoffice
      • Systems
      • Devices
      • Drivers
      • Zones
      • Triggers
      • Metrics
      • Users
      • Domains
        • Applications
  • Developer Guide
    • Development Environment
    • Building Drivers
      • Discovery and Metadata
      • State
      • Scheduling Actions
      • Response Tokenisation
      • Device Drivers
      • SSH Drivers
      • Service Drivers
      • Logic Drivers
      • Testing
      • Live Monitoring
      • Logging
      • Security
      • Utilities and Helpers
    • User Interfaces
      • Composer
      • Virtual Systems
      • Widgets
      • Settings.json
  • API
    • Authentication
    • Control
      • Systems
      • Modules
      • Dependencies
      • Zones
      • Websocket
        • Commands
          • bind
          • unbind
          • exec
          • debug
          • ignore
        • Heartbeat
        • Errors
  • Support
    • Service Desk
Powered by GitBook
On this page
  • Overview
  • The Lookup Process
  • Desk Locating Requirements
  • Laptop Docking Stations
  • User Device Discovery
  • User Account to IP Address Mapping
  • Windows Domain Controller
  • File Share or Print Server
  • IP Address to MAC Address Resolution
  • Switch DHCP Snooping Table
  • Example Powershell Scripts

Was this helpful?

  1. Integrations
  2. Location Services

Locating Users on a Network

PreviousLocation ServicesNextSVG Map Creation

Last updated 5 years ago

Was this helpful?

Overview

Using existing infrastructure in an organisation, there is typically enough data available to accurately locate staff. Wireless networks provide a rough indication of location and cabled infrastructure accurately shows who is sitting at individual desk locations.

This can also be augmented with sensors, as required, however sensors can only be used to indicate desk usage - falling back to wifi for staff location.

The Lookup Process

  1. Lookup the username or email address of the person in question (staff search)

  2. Grab the device mappings for that user (as per the diagram above)

  3. Check if any of those devices are plugged in to a switch port (or have a desk reserved)

  4. Fallback to wireless lookup of username, email or wireless MAC address if no desk is found

Desk Locating Requirements

  • Switch IP addresses

  • SNMP or SSH service enabled on the switch (SSH preferred as it is easier to troubleshoot and secure)

  • A list of switch ports to desk mappings

  • A method for pairing staff to their devices

Most switches expose an SNMP service for tracking details of port usage and the devices connected to each port. If using SSH method, each switch is queried approximately once every 5 seconds.

Laptop Docking Stations

Desk locating relies on device MAC addresses to identify staff as they move around a building.

As docking stations often sit between the laptop and the switch, we need to ensure that the MAC address exposed by the docking station is unique to each staff member.

User Device Discovery

We automate the mapping of laptops and phones to staff.

This is a two-step process.

  1. Firstly, we need to discover the IP addresses of the devices in use by a user.

  2. Once we have the IP address, we need to find the associated MAC addresses.

This maintains a mapping of MAC addresses to user accounts, which can be used in conjunction with port usage to determine the location of users.

User Account to IP Address Mapping

There are multiple ways to get this information, and these can be used simultaneously.

  • Users connecting to the staff application

  • Users logging on to their machines triggering an event on the Windows domain controller

  • Users connecting to a file share or print server

  • Custom tray application tracking the logged in user, any IP address changes, and associated MAC addresses

Windows Domain Controller

The Windows domain controller is used to authenticate users as they log onto a device. This would typically a laptop, desktop computer or thin client.

File Share or Print Server

Similar to the Windows domain controller method, audit logging can be enabled for file share access events.

IP Address to MAC Address Resolution

  • Engine will communicate with the switches over UDP port 161 or TCP port 22

  • The switches may communicate to Engine over UDP port 162 (Not required for SSH connections)

At this point, we have a user account and an IP address. We need to lookup the MAC address associated with the IP address so we can associate the user to the MAC address/device.

Switch DHCP Snooping Table

We query DHCP snooping tables on level 2 switches as they maintain a list of DHCP allocated IP addresses and the MAC addresses of assigned devices.

Example Powershell Scripts

This is a standard common to most network hardware manufacturers and defined by the following standard

CISCO switches support SSH and Engine supports SSHv2 for secure data transfer

All commercial docking solutions offer a method for passing through a unique MAC, if they don’t already do this by default. Two of the more common docking solutions are HP (BIOS or EFI configuration) and USB docks (Dell, Lenovo, Fujitsu, Targus, Kensington, HP and Toshiba among others).

Displaylink provide a Powershell to automate the configuration which can be deployed via SCCM

This provides detailed logging that can be useful when deploying.

By auditing credential validation events it is possible to query these logs to inform Engine of the user account and the corresponding IP address associated with the event.

DHCP snooping is a and enabling it has additional advantages beyond user locating. If DHCP snooping is undesirable, DHCP Gleaning can be used instead.

This covers the basics of user discovery using a domain controller. A 3rd party machine can be configured to query server logs remotely - see the detailed scripts for how this is achieved:

It is possible to use additional events and change scripts as required for security compliance. For more details on how this is implemented please see our detailed .

https://tools.ietf.org/html/rfc4293
http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
Displaylink
script
https://support.displaylink.com/knowledgebase/articles/613455-how-to-configure-displaylink-ethernet#macclone
alternative script
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd772679%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/dn311489%28v=ws.11%29.aspx
https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/
security feature
https://github.com/acaprojects/ruby-engine/blob/master/docs/capturing_user_devices.md
configuration guide