How to do Location Based filtering

Environment : This article applies to all Air group version .


Network Topology : Aruba controller  - Running Airgroup version Integrated with CPPM.



Need to have  CPPM  server  integrated with controller.

Configuring a CPPM Server on Aruba controller
Using the WebUI
To configure a CPPM server using the controller WebUI:
1. Navigate to the Configuration > Security > Authentication > Servers.
2. Select Radius Server to display the CPPM Server List.
3. To configure a CPPM server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Select the Mode check box to activate the
authentication server.
5. Click Apply to apply the configuration.
Using the CLI
Use the following commands to configure a CPPM server using the CLI:
aaa authentication-server radius <name>
host <ipaddr>
key <key>
-There are three methods for doing location based filtering.
Ap-Name based.
Ap-Group based
Ap-FQLN Based
- Ap-Name Based.
Ap-name==<name> Tag value format
Description: When the location is set to Ap-name, all airgroup users connected to thes Ap and the Ap’s which are in the same Rf neighbourhood can access the shared devices.
# Show airgroup cppm entries ( this command will shows the following )



ClearPass Guest Device Registration Information
Device             device-owner  shared location-id AP-name  shared location-id AP-FQLN  shared location-id AP-group  shared user-list  shared role-list  #CPPM-Req  CPPM-Resp
------             ------------  --------------------------  --------------------------  ---------------------------  ----------------  ----------------  ---------  ---------
9c:20:7b:a3:29:16  N/A           JNR_L5_Base1                                                                                                             5          5
9c:20:7b:7d:c8:8d  N/A           JNR_L5_Base1                                                                                                             3          3
-Screen shot for the same device entries in CPPM  server.


rtaImage (1).png


Note - As per the above diagram for each devices there are a list of Ap names which is added to view the device but however from the below command you can find the list of neighbour bssid of the Ap’s which is one hop away from the ap added and all these ap’s will also be able to view the device even though they are not added to the list..
Show AirGroup Aps ( this is the main command which will show the  neighbour aps bssid for the Ap’s in which the devices are added.
IP  Name   Group             MAC                BSSID- A           BSSID- B/G         FQLN  Neighbor count- A  Neighbor count- B/G  Neighbor base BSSID  BAND
--  ----   -----             ---                --------           ----------         ----  -----------------  -------------------  -------------------  ----
    EBT_N  TTSWLS01-APPLETV  d8:c7:c8:c2:d3:05  d8:c7:c8:ad:30:50  d8:c7:c8:ad:30:50        4                  13                   d8:c7:c8:2b:4f:70    A
                                                                                                                                    d8:c7:c8:ad:30:90    A
                                                                                                                                    00:c7:c8:2b:4d:e0    A
                                                                                                                                    00:f3:7f:88:53:20    A
                                                                                                                                    00:1a:1e:cb:cf:90    B/G
                                                                                                                                    d8:c7:c8:2b:4f:70    B/G
                                                                                                                                    d8:c7:c8:2b:51:60    B/G
                                                                                                                                    d8:c7:c8:2b:38:60    B/G
                                                                                                                                    d8:c7:c8:ad:30:90    B/G
                                                                                                                                    d8:c7:c8:2b:4d:30    B/G
                                                                                                                                    7e:67:21:ba:62:d0    B/G
                                                                                                                                    28:cf:e9:58:23:10    B/G
                                                                                                                                    00:26:75:86:b5:b0    B/G
                                                                                                                                    98:2c:be:11:5b:c0    B/G
                                                                                                                                    0c:37:dc:31:8d:20    B/G
                                                                                                                                    4c:54:99:10:76:d0    B/G
                                                                                                                                    00:f3:7f:88:53:20    B/G
Ap- Group based
Tag=Value Format  ap-group=<group>
Description : When the location attribute is set to ap-group, all AirGroup  users associated to APs in the specified AP group can access the shared device.
# Show airgroup cppm entries  ( This command will shows the following ) Cppm entries for the shared location-id AP-name)

 Shared Location-id Ap-group ---- Displayed the location ID based on the name of the ap group.
-         This is same as  Ap- Name  but it is very straight forward  were we can restrict the devices to be viewed by segregating the  Ap’s to different Ap-group and  map the same in the cppm for the list of devices to be viewed by each client connecting to the ap in that group.
AP-FQLN based
Tag=Value Format  fqln=<fqln>
Description   When the location attribute is set to ap-FQLN, all AirGroup users connected to APs on the same floor, and to the APs on a floor above or below the configured APs can access the shared device.
-AP FQLNs should be configured in the format <ap-name>.floor <number>.<building>.<campus>
- The <ap-name> should not include periods ( . )
Example: AP305-2.Floor 2.TowerD.Aruba
#show airgroup cppm entries( this command will show the  shared location-id AP-FQLN)


rtaImage (2).png

Note: As per the description in this method The Ap Fqln has to configured in the same format as mentioned above and can be mapped to the devices in Cppm as per the requirement . However as mentioned above “all AirGroup users connected to APs on the same floor, and to the APs on a floor above or below the configured APs can access the shared device.”

