08-16-2013 10:44 AM
For Android and Apple devices we have specific rules that put these devices into their own VLAN with their own set of firewall rules. We Onboard these devices then using 'Role Mapping' rules we identify the device and push it to the appropriate VLAN.
BlackBerry's can't go through the Onboard. I would still like to handle them in a similar manor.
So as a quick solution I modify their entry in the 'Endpoint Database' and manually add an attribute that identifies them as a BlackBerry device. I then added a rule to the 'Role Mapping' rule used to identify the Apple and Android devices that looks for this attribute then sets the role to something along the same lines as the Apple and Android devices. The role is then used in the 'Enforcement Profile' to direct them to the correct VLAN and User Role.
The BlackBerry devices (tested so far with the Q10) are able to connect. Our users use their network credentials and their device is placed into the appropriate VLAN.
I was just curious if there was another way of doing this? I had thought about using an LDAP group called like "blackberry" and then evaluate the users that are apart of the group but we decided against this method.
If I recall correctly, the values that are generated by DHCP finger printing such as 'Category', 'OS Family' are not available to be used to do things like 'Role Mappings'. Is there some other way to automatically identify a BlackBerry device?
Thank you ,
08-16-2013 10:48 AM - edited 08-16-2013 10:48 AM
We use the following attributes to identify BlackBerry devices:
Radius:Aruba:Aruba-Device-Type EQUALS BlackBerry
or Connection:Client-Mac-Vendor EQUALS Research In Motion
or Connection:Client-Mac-Vendor EQUALS Research In Motion Limited
or Endpoint: Device Type EQUALS BlackBerry
08-16-2013 11:02 AM - edited 08-16-2013 11:12 AM
I am curious in which circumstances is the RADIUS attribue: 'Aruba:Aruba-Device-Type EQUALS BlackBerry' available to evaluate? I was under the impression these are only available during an Onboard attemp? Do you do any prep to the devices? And what authentication is being used. Currently with BlackBerry we are just using EAP-PEAP and EAP-MSCHAPv2.
The other RADIUS attribute 'Connection:Client-Mac-Vendor' doesn't appear to be available in the request.
Is attribute 'Endpoint: Device Type' populate by you or automatically?
It looks like for the BB Q10's the MAC Vendor field is blank.
Are you by chance generating a certificate for the BlackBerry's manually?
There must be something I am not doing with the BlackBerry's!
08-16-2013 11:57 AM
Awesome, with an older BlackBerry device I was able to use the 'Connection:Client-Mac-Vendor' to map my role for the device.
For the new BlackBerry devices (like the Q10 that I have tested with) it looks like the finger printing database may be out of date since the field is empty. I had this once before when the new Apple Mini iPad thing or whatever it is came out. The 'MAC Vendor' was missing from the client requests.
08-16-2013 12:03 PM
By the looks of it yes.
According to the CPPM....
Endpoint Profile Fingerprints Data Version: 2.60 Last Updated: 2013/8/14
Unfortunately I don't have a Z10 to test with.
Maybe this particular device has a MAC Range not get classified by Aruba?
08-16-2013 12:03 PM
The other thing I noticed is that the devices running BlackBerry 10 often get misfingerprinted by the controllers and ClearPass as Android devices because of the android virtual runtime that runs on the platform.
Here's the request for my Z10
08-16-2013 12:22 PM
They get misfingerprinted really? That is very interesting! Would that be caused by the "Host User Agent" information that is pulled during the Enpoint Finger Printing? The DHCP information wouldn't indicate anything about the android virtual runtime would it?
Thanks for the screen shot! I wish mine were were included the 'MAC Vendor'!
Here is a request from the Q10 - As you can see no 'client-mac-vendor' :(
Here is a request from an older BlackBerry Curve
I am going to have to keep an eye open for the misfinger as well. I find that pretty interesting!
08-18-2013 09:16 PM
(you can find it in the endpoint database. Check mark show fingerprint.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.