Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Handling BlackBerry Devices - Identification

  • 1.  Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 01:44 PM

    Hi,

     

    For Android and Apple devices we have specific rules that put these devices into their own VLAN with their own set of firewall rules. We Onboard these devices then using 'Role Mapping' rules we identify the device and push it to the appropriate VLAN.

     

    BlackBerry's can't go through the Onboard. I would still like to handle them in a similar manor.

     

    So as a quick solution I modify their entry in the 'Endpoint Database' and manually add an attribute that identifies them as a BlackBerry device. I then added a rule to the 'Role Mapping' rule used to identify the Apple and Android devices that looks for this attribute then sets the role to something along the same lines as the Apple and Android devices. The role is then used in the 'Enforcement Profile' to direct them to the correct VLAN and User Role.

     

    The BlackBerry devices (tested so far with the Q10) are able to connect. Our users use their network credentials and their device is placed into the appropriate VLAN.

     

    I was just curious if there was another way of doing this? I had thought about using an LDAP group called like "blackberry" and then evaluate the users that are apart of the group but we decided against this method.

     

    If I recall correctly, the values that are generated by DHCP finger printing such as 'Category', 'OS Family' are not available to be used to do things like 'Role Mappings'. Is there some other way to automatically identify a BlackBerry device?

     

    Thank you ,

     

    Cheers



  • 2.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 01:48 PM

    We use the following attributes to identify BlackBerry devices:

       Radius:Aruba:Aruba-Device-Type  EQUALS  BlackBerry
    or    Connection:Client-Mac-Vendor  EQUALS  Research In Motion
    or    Connection:Client-Mac-Vendor  EQUALS  Research In Motion Limited
    or    Endpoint: Device Type  EQUALS  BlackBerry



  • 3.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 02:02 PM

    Hi @cappalli

     

    I am curious in which circumstances is the RADIUS attribue: 'Aruba:Aruba-Device-Type  EQUALS  BlackBerry' available to evaluate? I was under the impression these are only available during an Onboard attemp? Do you do any prep to the devices? And what authentication is being used. Currently with BlackBerry we are just using EAP-PEAP and EAP-MSCHAPv2.

     

    The other RADIUS attribute 'Connection:Client-Mac-Vendor' doesn't appear to be available in the request.

    Is attribute 'Endpoint: Device Type' populate by you or automatically?

    It looks like for the BB Q10's the MAC Vendor field is blank. 

     BlackBerry_Q10_MAC_Vendor.png

     

    Are you by chance generating a certificate for the BlackBerry's manually?

     

    There must be something I am not doing with the BlackBerry's!

     

     

     

     



  • 4.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 02:57 PM

    Awesome, with an older BlackBerry device I was able to use the 'Connection:Client-Mac-Vendor' to map my role for the device.

     

    For the new BlackBerry devices (like the Q10 that I have tested with) it looks like the finger printing database may be out of date since the field is empty. I had this once before when the new Apple Mini iPad thing or whatever it is came out. The 'MAC Vendor' was missing from the client requests.

     



  • 5.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 02:59 PM

    Weird, my Z10 is picked up by the OUI. Are your fingerprints being updated?



  • 6.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 03:04 PM

    The other thing I noticed is that the devices running BlackBerry 10 often get misfingerprinted by the controllers and ClearPass as Android devices because of the android virtual runtime that runs on the platform.

     

    Here's the request for my Z10

     

    z10.PNG



  • 7.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 03:22 PM

    They get misfingerprinted really? That is very interesting! Would that be caused by the "Host User Agent" information that is pulled during the Enpoint Finger Printing? The DHCP information wouldn't indicate anything about the android virtual runtime would it?

     

    Thanks for the screen shot! I wish mine were were included the 'MAC Vendor'!

     

    Here is a request from the Q10 - As you can see no 'client-mac-vendor' :(

    BlackBerry_Q10_MAC_Vendor_0002.png

     

    Here is a request from an older BlackBerry Curve

    BlackBerry_Old_MAC_Vendor_0003.png

     

    Very strange.. 

    I am going to have to keep an eye open for the misfinger as well. I find that pretty interesting!



  • 8.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 04:28 PM

    Yes they get misfingerprinted. I would open a ticket.



  • 9.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 19, 2013 12:16 AM
    Just a quick note. I notified engineering on the misfingerprint. Can someone PM me or post here the

    device info

    Make
    Model
    Firmware version

    DHCP fingerprint.
    (you can find it in the endpoint database. Check mark show fingerprint.


  • 10.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 19, 2013 08:24 AM

    Just in case you were talking about the BlackBerry here is the info.

    'MAC Vendor' missing.

     

    Model: BlackBerry Q10

    Model Number: SQN100-3

    Software Release: 10.1.0.4181

     

    BlackBerry_Q10_MAC_Vendor.png

     

    ---------------------------------------------------------------------------------------

    @tarnold

     

    Hey just wanted to make sure which device you were talking about.

    Were you talking about the BlackBerry Q10 missing the Vendor MAC?

     

    Or were you talking about @cappalli and the BlackBerry devices that were getting misfinger printed as Android devices?

     

    Thank you,

     

    Cheers



  • 11.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 28, 2013 01:28 PM

    I have a BlackBerry Z10 device that was been finger printed correctly.

    Then just today the Endpoint profile was updated and now the finger print appears to be wrong.

     

    It is showing the Z10 as an Android device. I checked the last time the "Endpoint Profile Fingerprints" db was updated and it hasn't been updated in almost a month so it is a little strange that is suddenly changed.

     

    It could be that the Z10 itself was updated recently so now maybe the finger printing is off?

    I have IFMAP enabled on the Aruba Controller.

     

    Any thoughts?

     

    Endpoints_0006.png



  • 12.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 28, 2013 05:24 PM

    What is the controller profiling it as?



  • 13.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 28, 2013 06:08 PM

    That is a good question.

    I will have to figure out how to check that and I will get back to you!

     

    --------------------------------------

     

    I should be able to see how the controller profiles it using the following command? Is that right?

    #show log network all | include DISCOVER

    If this is the case then I will need to get my hands on the phone as the logs don't go far enough back.

     

    I will probably have to have the client reconnect to our Guest SSID temporarily to see what the controller is doing.



  • 14.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 29, 2013 03:49 PM

    Hey,

     

    On the 'show user-table' the device is profiled as 'Type - Android'

     

    Here is the DHCP Discover string

    DISCOVER 40:6f:2a:6a:e5:34 Transaction ID:0xd8af2a78 Options 0c:4d61726342427a3130 37:011c02030f060c 3c:426c61636b4265727279204f532031302e322e302e31373931

     And here are the device details.

     

    Device Manuf: BlackBerry

    Device Model: BlackBerry Z10

    Model Number: STL100-3

    OS: 10.2.0.424

     

    I confirmed with the user that they recently updated the BlackBerry OS.

     

    Hopefully this helps!

     

    Cheers



  • 15.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 29, 2013 03:53 PM
    My Z10 is always profiled as Android because of the Android VM that runs in
    the background to support both QNX and Android apps.


  • 16.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 29, 2013 04:38 PM

    I remember you mentioning this cappalli

     

    I wasn't sure if this had been resolved yet or not. Or if it is even resolvable based on your comments about the Android VM.

     

    This Z10 in question at one point was being profiled correctly. It was only this most recent update that changed that.

    Any chance you might know which OS your Z10's are running?



  • 17.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 29, 2013 05:26 PM

    Last time I did some testing, I was using 10.2.0.1767.

     

    I think BB10 is the only platform that can run another OS on top of the core so I think the way it gets profiled is a new situation. Technically, it's being profiled correctly based on the information the device presents. It seems that either ClearPass or the controllers need to look at another piece of information that is unique to BB10. What that is, I do not know. I know this isn't entirely helpful, but just some observations.

     

     



  • 18.  RE: Handling BlackBerry Devices - Identification

    Posted Oct 29, 2013 05:35 PM

    No it is absolutely helpful!

     

    It at least gives me an idea of what is happening and the cause.

    Strange that I am only seeing it now.

     

    I wonder if the CPPM could parse the DHCP Finger printing information differently as the DHCP Option60 indicates it is 'BlackBerry OS..'.

    I am not sure of the reliability of this information though.

    I am not all that familar with the innerworkings of the finger printing so I shouldn't comment further!

     

    As a temp solution I included in my Role Mapping 'if MAC Vendor = Research In Motion' do 'blah'

     

    I guess it could be a little bit before there is a solid solution to more accurately finger print the Z10's

    It is pretty unique in the mobile world as you described.

     

    Thanks for the info though cappalli it is much appreciated!



  • 19.  RE: Handling BlackBerry Devices - Identification

    Posted Aug 16, 2013 03:04 PM

    By the looks of it yes.

     

    According to the CPPM....

    Endpoint Profile Fingerprints
    Data Version: 2.60
    Last Updated: 2013/8/14

     Unfortunately I don't have a Z10 to test with.

     

    Maybe this particular device has a MAC Range not get classified by Aruba?