Security

Reply
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Handling BlackBerry Devices - Identification

Hi,

 

For Android and Apple devices we have specific rules that put these devices into their own VLAN with their own set of firewall rules. We Onboard these devices then using 'Role Mapping' rules we identify the device and push it to the appropriate VLAN.

 

BlackBerry's can't go through the Onboard. I would still like to handle them in a similar manor.

 

So as a quick solution I modify their entry in the 'Endpoint Database' and manually add an attribute that identifies them as a BlackBerry device. I then added a rule to the 'Role Mapping' rule used to identify the Apple and Android devices that looks for this attribute then sets the role to something along the same lines as the Apple and Android devices. The role is then used in the 'Enforcement Profile' to direct them to the correct VLAN and User Role.

 

The BlackBerry devices (tested so far with the Q10) are able to connect. Our users use their network credentials and their device is placed into the appropriate VLAN.

 

I was just curious if there was another way of doing this? I had thought about using an LDAP group called like "blackberry" and then evaluate the users that are apart of the group but we decided against this method.

 

If I recall correctly, the values that are generated by DHCP finger printing such as 'Category', 'OS Family' are not available to be used to do things like 'Role Mappings'. Is there some other way to automatically identify a BlackBerry device?

 

Thank you ,

 

Cheers

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Handling BlackBerry Devices - Identification

[ Edited ]

We use the following attributes to identify BlackBerry devices:

   Radius:Aruba:Aruba-Device-Type  EQUALS  BlackBerry
or    Connection:Client-Mac-Vendor  EQUALS  Research In Motion
or    Connection:Client-Mac-Vendor  EQUALS  Research In Motion Limited
or    Endpoint: Device Type  EQUALS  BlackBerry


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Handling BlackBerry Devices - Identification

[ Edited ]

Hi @cappalli

 

I am curious in which circumstances is the RADIUS attribue: 'Aruba:Aruba-Device-Type  EQUALS  BlackBerry' available to evaluate? I was under the impression these are only available during an Onboard attemp? Do you do any prep to the devices? And what authentication is being used. Currently with BlackBerry we are just using EAP-PEAP and EAP-MSCHAPv2.

 

The other RADIUS attribute 'Connection:Client-Mac-Vendor' doesn't appear to be available in the request.

Is attribute 'Endpoint: Device Type' populate by you or automatically?

It looks like for the BB Q10's the MAC Vendor field is blank. 

 BlackBerry_Q10_MAC_Vendor.png

 

Are you by chance generating a certificate for the BlackBerry's manually?

 

There must be something I am not doing with the BlackBerry's!

 

 

 

 

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Handling BlackBerry Devices - Identification

Awesome, with an older BlackBerry device I was able to use the 'Connection:Client-Mac-Vendor' to map my role for the device.

 

For the new BlackBerry devices (like the Q10 that I have tested with) it looks like the finger printing database may be out of date since the field is empty. I had this once before when the new Apple Mini iPad thing or whatever it is came out. The 'MAC Vendor' was missing from the client requests.

 

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Handling BlackBerry Devices - Identification

Weird, my Z10 is picked up by the OUI. Are your fingerprints being updated?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Handling BlackBerry Devices - Identification

By the looks of it yes.

 

According to the CPPM....

Endpoint Profile Fingerprints
Data Version: 2.60
Last Updated: 2013/8/14

 Unfortunately I don't have a Z10 to test with.

 

Maybe this particular device has a MAC Range not get classified by Aruba?

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Handling BlackBerry Devices - Identification

The other thing I noticed is that the devices running BlackBerry 10 often get misfingerprinted by the controllers and ClearPass as Android devices because of the android virtual runtime that runs on the platform.

 

Here's the request for my Z10

 

z10.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Handling BlackBerry Devices - Identification

They get misfingerprinted really? That is very interesting! Would that be caused by the "Host User Agent" information that is pulled during the Enpoint Finger Printing? The DHCP information wouldn't indicate anything about the android virtual runtime would it?

 

Thanks for the screen shot! I wish mine were were included the 'MAC Vendor'!

 

Here is a request from the Q10 - As you can see no 'client-mac-vendor' :(

BlackBerry_Q10_MAC_Vendor_0002.png

 

Here is a request from an older BlackBerry Curve

BlackBerry_Old_MAC_Vendor_0003.png

 

Very strange.. 

I am going to have to keep an eye open for the misfinger as well. I find that pretty interesting!

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Handling BlackBerry Devices - Identification

Yes they get misfingerprinted. I would open a ticket.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Handling BlackBerry Devices - Identification

Just a quick note. I notified engineering on the misfingerprint. Can someone PM me or post here the

device info

Make
Model
Firmware version

DHCP fingerprint.
(you can find it in the endpoint database. Check mark show fingerprint.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: