For Android and Apple devices we have specific rules that put these devices into their own VLAN with their own set of firewall rules. We Onboard these devices then using 'Role Mapping' rules we identify the device and push it to the appropriate VLAN.
BlackBerry's can't go through the Onboard. I would still like to handle them in a similar manor.
So as a quick solution I modify their entry in the 'Endpoint Database' and manually add an attribute that identifies them as a BlackBerry device. I then added a rule to the 'Role Mapping' rule used to identify the Apple and Android devices that looks for this attribute then sets the role to something along the same lines as the Apple and Android devices. The role is then used in the 'Enforcement Profile' to direct them to the correct VLAN and User Role.
The BlackBerry devices (tested so far with the Q10) are able to connect. Our users use their network credentials and their device is placed into the appropriate VLAN.
I was just curious if there was another way of doing this? I had thought about using an LDAP group called like "blackberry" and then evaluate the users that are apart of the group but we decided against this method.
If I recall correctly, the values that are generated by DHCP finger printing such as 'Category', 'OS Family' are not available to be used to do things like 'Role Mappings'. Is there some other way to automatically identify a BlackBerry device?
Thank you ,
We use the following attributes to identify BlackBerry devices: Radius:Aruba:Aruba-Device-Type EQUALS BlackBerryor Connection:Client-Mac-Vendor EQUALS Research In Motionor Connection:Client-Mac-Vendor EQUALS Research In Motion Limitedor Endpoint: Device Type EQUALS BlackBerry
I am curious in which circumstances is the RADIUS attribue: 'Aruba:Aruba-Device-Type EQUALS BlackBerry' available to evaluate? I was under the impression these are only available during an Onboard attemp? Do you do any prep to the devices? And what authentication is being used. Currently with BlackBerry we are just using EAP-PEAP and EAP-MSCHAPv2.
The other RADIUS attribute 'Connection:Client-Mac-Vendor' doesn't appear to be available in the request.
Is attribute 'Endpoint: Device Type' populate by you or automatically?
It looks like for the BB Q10's the MAC Vendor field is blank.
Are you by chance generating a certificate for the BlackBerry's manually?
There must be something I am not doing with the BlackBerry's!
Awesome, with an older BlackBerry device I was able to use the 'Connection:Client-Mac-Vendor' to map my role for the device.
For the new BlackBerry devices (like the Q10 that I have tested with) it looks like the finger printing database may be out of date since the field is empty. I had this once before when the new Apple Mini iPad thing or whatever it is came out. The 'MAC Vendor' was missing from the client requests.
Weird, my Z10 is picked up by the OUI. Are your fingerprints being updated?
The other thing I noticed is that the devices running BlackBerry 10 often get misfingerprinted by the controllers and ClearPass as Android devices because of the android virtual runtime that runs on the platform.
Here's the request for my Z10
They get misfingerprinted really? That is very interesting! Would that be caused by the "Host User Agent" information that is pulled during the Enpoint Finger Printing? The DHCP information wouldn't indicate anything about the android virtual runtime would it?
Thanks for the screen shot! I wish mine were were included the 'MAC Vendor'!
Here is a request from the Q10 - As you can see no 'client-mac-vendor' :(
Here is a request from an older BlackBerry Curve
I am going to have to keep an eye open for the misfinger as well. I find that pretty interesting!
Yes they get misfingerprinted. I would open a ticket.
Just in case you were talking about the BlackBerry here is the info.
'MAC Vendor' missing.
Model: BlackBerry Q10
Model Number: SQN100-3
Software Release: 10.1.0.4181
Hey just wanted to make sure which device you were talking about.
Were you talking about the BlackBerry Q10 missing the Vendor MAC?
Or were you talking about @cappalli and the BlackBerry devices that were getting misfinger printed as Android devices?
I have a BlackBerry Z10 device that was been finger printed correctly.
Then just today the Endpoint profile was updated and now the finger print appears to be wrong.
It is showing the Z10 as an Android device. I checked the last time the "Endpoint Profile Fingerprints" db was updated and it hasn't been updated in almost a month so it is a little strange that is suddenly changed.
It could be that the Z10 itself was updated recently so now maybe the finger printing is off?
I have IFMAP enabled on the Aruba Controller.
What is the controller profiling it as?
That is a good question.
I will have to figure out how to check that and I will get back to you!
I should be able to see how the controller profiles it using the following command? Is that right?
#show log network all | include DISCOVER
If this is the case then I will need to get my hands on the phone as the logs don't go far enough back.
I will probably have to have the client reconnect to our Guest SSID temporarily to see what the controller is doing.
On the 'show user-table' the device is profiled as 'Type - Android'
Here is the DHCP Discover string
DISCOVER 40:6f:2a:6a:e5:34 Transaction ID:0xd8af2a78 Options 0c:4d61726342427a3130 37:011c02030f060c 3c:426c61636b4265727279204f532031302e322e302e31373931
And here are the device details.
Device Manuf: BlackBerry
Device Model: BlackBerry Z10
Model Number: STL100-3
I confirmed with the user that they recently updated the BlackBerry OS.
Hopefully this helps!
I remember you mentioning this cappalli
I wasn't sure if this had been resolved yet or not. Or if it is even resolvable based on your comments about the Android VM.
This Z10 in question at one point was being profiled correctly. It was only this most recent update that changed that.
Any chance you might know which OS your Z10's are running?
Last time I did some testing, I was using 10.2.0.1767.
I think BB10 is the only platform that can run another OS on top of the core so I think the way it gets profiled is a new situation. Technically, it's being profiled correctly based on the information the device presents. It seems that either ClearPass or the controllers need to look at another piece of information that is unique to BB10. What that is, I do not know. I know this isn't entirely helpful, but just some observations.
No it is absolutely helpful!
It at least gives me an idea of what is happening and the cause.
Strange that I am only seeing it now.
I wonder if the CPPM could parse the DHCP Finger printing information differently as the DHCP Option60 indicates it is 'BlackBerry OS..'.
I am not sure of the reliability of this information though.
I am not all that familar with the innerworkings of the finger printing so I shouldn't comment further!
As a temp solution I included in my Role Mapping 'if MAC Vendor = Research In Motion' do 'blah'
I guess it could be a little bit before there is a solid solution to more accurately finger print the Z10's
It is pretty unique in the mobile world as you described.
Thanks for the info though cappalli it is much appreciated!
By the looks of it yes.
According to the CPPM....
Endpoint Profile Fingerprints
Data Version: 2.60
Last Updated: 2013/8/14
Unfortunately I don't have a Z10 to test with.
Maybe this particular device has a MAC Range not get classified by Aruba?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.