AAA, NAC, Guest Access & BYOD

How to do Location Based filtering

Environment : This article applies to all Air group version .

 

Network Topology : Aruba controller  - Running 6.1.3.6 Airgroup version Integrated with CPPM.

 

LOCATION BASED FILTERING USING CPPM

Note
=====
Need to have  CPPM  server  integrated with controller.

Configuring a CPPM Server on Aruba controller
=======================================
Using the WebUI
To configure a CPPM server using the controller WebUI:
1. Navigate to the Configuration > Security > Authentication > Servers.
2. Select Radius Server to display the CPPM Server List.
3. To configure a CPPM server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Select the Mode check box to activate the
authentication server.
5. Click Apply to apply the configuration.
Using the CLI
Use the following commands to configure a CPPM server using the CLI:
aaa authentication-server radius <name>
host <ipaddr>
key <key>
 
-There are three methods for doing location based filtering.
Ap-Name based.
Ap-Group based
Ap-FQLN Based
 
 
- Ap-Name Based.
Ap-name==<name> Tag value format
 
Description: When the location is set to Ap-name, all airgroup users connected to thes Ap and the Ap’s which are in the same Rf neighbourhood can access the shared devices.
 
# Show airgroup cppm entries ( this command will shows the following )

 

rtaImage.png

ClearPass Guest Device Registration Information
-----------------------------------------------
Device             device-owner  shared location-id AP-name  shared location-id AP-FQLN  shared location-id AP-group  shared user-list  shared role-list  #CPPM-Req  CPPM-Resp
------             ------------  --------------------------  --------------------------  ---------------------------  ----------------  ----------------  ---------  ---------
9c:20:7b:a3:29:16  N/A           JNR_L5_Base1                                                                                                             5          5
                                 JNR_L5_Base2
                                 JNR_L5_Base3
                                 JNR_L5_Base4
                                 JNR_L5_Base5
                                 JNR_L5_Base6
                                 JNR_L5_Base7
                                 JNR_L5_Base8
                                 JNR_L5_ICT_OpenArea01
9c:20:7b:7d:c8:8d  N/A           JNR_L5_Base1                                                                                                             3          3
                                 JNR_L5_Base2
                                 JNR_L5_Base3
                                 JNR_L5_Base4
 
-Screen shot for the same device entries in CPPM  server.

 

rtaImage (1).png

 

Note - As per the above diagram for each devices there are a list of Ap names which is added to view the device but however from the below command you can find the list of neighbour bssid of the Ap’s which is one hop away from the ap added and all these ap’s will also be able to view the device even though they are not added to the list..
 
Show AirGroup Aps ( this is the main command which will show the  neighbour aps bssid for the Ap’s in which the devices are added.
------------
IP  Name   Group             MAC                BSSID- A           BSSID- B/G         FQLN  Neighbor count- A  Neighbor count- B/G  Neighbor base BSSID  BAND
--  ----   -----             ---                --------           ----------         ----  -----------------  -------------------  -------------------  ----
    EBT_N  TTSWLS01-APPLETV  d8:c7:c8:c2:d3:05  d8:c7:c8:ad:30:50  d8:c7:c8:ad:30:50        4                  13                   d8:c7:c8:2b:4f:70    A
                                                                                                                                    d8:c7:c8:ad:30:90    A
                                                                                                                                    00:c7:c8:2b:4d:e0    A
                                                                                                                                    00:f3:7f:88:53:20    A
                                                                                                                                    00:1a:1e:cb:cf:90    B/G
                                                                                                                                    d8:c7:c8:2b:4f:70    B/G
                                                                                                                                    d8:c7:c8:2b:51:60    B/G
                                                                                                                                    d8:c7:c8:2b:38:60    B/G
                                                                                                                                    d8:c7:c8:ad:30:90    B/G
                                                                                                                                    d8:c7:c8:2b:4d:30    B/G
                                                                                                                                    7e:67:21:ba:62:d0    B/G
                                                                                                                                    28:cf:e9:58:23:10    B/G
                                                                                                                                    00:26:75:86:b5:b0    B/G
                                                                                                                                    98:2c:be:11:5b:c0    B/G
                                                                                                                                    0c:37:dc:31:8d:20    B/G
                                                                                                                                    4c:54:99:10:76:d0    B/G
                                                                                                                                    00:f3:7f:88:53:20    B/G
 
 
 
 
 
 
 
 
Ap- Group based
 
Tag=Value Format  ap-group=<group>
Description : When the location attribute is set to ap-group, all AirGroup  users associated to APs in the specified AP group can access the shared device.
 
# Show airgroup cppm entries  ( This command will shows the following ) Cppm entries for the shared location-id AP-name)
 

 Shared Location-id Ap-group ---- Displayed the location ID based on the name of the ap group.
 
-         This is same as  Ap- Name  but it is very straight forward  were we can restrict the devices to be viewed by segregating the  Ap’s to different Ap-group and  map the same in the cppm for the list of devices to be viewed by each client connecting to the ap in that group.
 
 
AP-FQLN based
 
Tag=Value Format  fqln=<fqln>
Description   When the location attribute is set to ap-FQLN, all AirGroup users connected to APs on the same floor, and to the APs on a floor above or below the configured APs can access the shared device.
 
-AP FQLNs should be configured in the format <ap-name>.floor <number>.<building>.<campus>
- The <ap-name> should not include periods ( . )
Example: AP305-2.Floor 2.TowerD.Aruba
 
#show airgroup cppm entries( this command will show the  shared location-id AP-FQLN)

 

rtaImage (2).png

Note: As per the description in this method The Ap Fqln has to configured in the same format as mentioned above and can be mapped to the devices in Cppm as per the requirement . However as mentioned above “all AirGroup users connected to APs on the same floor, and to the APs on a floor above or below the configured APs can access the shared device.”

Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 05:06 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.