Controller Based WLANs

Controller based AirGroup Policies & Auto-association

Aruba Employee
Requirement:

Controller based AirGroup Policies

 

By default all AirGroup servers are visible to every AirGroup user. 

  • This features enables configuring policies on controller for AirGroup servers to limit the visibility of AirGroup servers to destined AirGroup users.  Admin is allowed to configure shared user-list, shared role-list and shared group-list for each AirGroup server to limit this server’s visibility to intended AirGroup users.
  • The group-list is the same as the group defined in Active directory. 
  • These configurations were done in CPPM prior to v6.4.3, now it is extended to the controller.

 

 

Auto-association

  • Auto-association feature helps with visibility of an AirGroup server If it needs to be seen by a broader area. This feature enables attaching an AirGroup server to an AP-name, AP-group or AP-FQLN and any AirGroup users associated to that AP-name etc. will be automatically see those AirGroup Server.
  • Auto-association feature can be applied at AirGroup Service level as well – AirPlay etc. All AirGroup  Servers advertising that service will be seen by AG users associated to that AP-name/AP-group/AP-FQLN.
  • Use case – In a multi-floor building, if you want users in Floor-10 to have access to a printer in Floor-10. You can define location based policy and attach the printer to an AP-group for floor-10 and users belonging to that AP-group will be able to access that printer.

 

 



Solution:

 

Controller based AirGroup Policies

 
  • Policies can be configured on the controller to limit the visibility of AirGroup servers to destined AirGroup users
  • Policies can be configured based on shared user-list, shared role-list and shared group-list 
  • Location based policies for AirGroup devices can be configured based on ap-name, ap-group and ap-fqln
  • This was done in CPPM prior to v6.4.3

 

 

Auto-association

  • Enables AG users to discover AG servers based on 
  • AP or its neighbours
  • AP-Group
  • AP-FQLN
  • Auto-associate can be enabled at Airgroup  Server
  • Airgroup  Service level (Airplay etc)

 



Configuration:
 

This configuration defines a policy for AG server based on its MAC address and share this server among list of users, role, group and location.

 

  • Mac Address Based Policy Configuration


   (config) #airgroup policy <AG-Server-mac>

 

    (config-airgroup-policy) #?
    userlist
    rolelist
    grouplist
    location 
    no

 

  • Configuration – Shared user list

Configuration to add/remove users in an shared user-list.

Configuring shared user-list
    (Aruba) (config-airgroup-policy) #userlist ?

Adding a user-name:
   (config-airgroup-policy) #userlist add Bob          


Deleting a user-name from the shared user-list:
   (config-airgroup-policy) #userlist remove Bob       


Deleting the entire shared-user list:
   (config-airgroup-policy)# no userlist    

  

  • Configuring Shared user-role 

  (Aruba) (config-airgroup-policy) #rolelist ?


Adding a shared-role:
  (config-airgroup-policy) #rolelist add <name-string>             


 Deleting a role from the shared role-list:
  (config-airgroup-policy) #rolelist remove <name-string>       


Deleting the entire shared-role list:
  (config-airgroup-policy) #no 

  • Configuration – Shared user group

Configuring shared user-group
  (config-airgroup-policy) #grouplist add <name-string>             

Removing a shared user-group
  (config-airgroup-policy) #grouplist remove <name-string>      
 
Disable user-group based sharing 
  (config-airgroup-policy) #no grouplist

  • Configuration – Shared location


 Configuring shared location
   (config-airgroup-policy) #location ? 
    ap-group
    ap-fqln
    ap-name
    no.

Auto-association configuration:

 

  • Adding an ap-group to shared-location

(config-airgroup-policy) #location ap-group  bldg1                     

  • Deleting an ap-group to shared-location

(config-airgroup-policy) #location ap-group remove bldg1        

 

  • Enabling location auto-association for ap-group

(config-airgroup-policy) #location ap-group auto        

 

Service level Auto-associate

Configure Auto-association based on AirGroup Service based for AP-name, AP-Group and AP-location. Users associated to AP-name/AP-group/AP-FQLN will automatically see all Airgroup servers that advertise the AG service.

 

(Aruba) (config) #airgroupservice ?
    STRING                  AirGroup Service

(Aruba (config) #airgroupservice airplay

(Aruba) (config-airgroupservice)#autoassociate
    apfqln                  Auto tag with AP FQLN
    apgroup                 Auto tag with AP Group
    apname                  Auto tag with AP Name

(Aruba) (config-airgroupservice) #autoassociate apname <AP-Name-String>
(Aruba) (config-airgroupservice) #autoassociate apgroup <AP-Group-String>
(Aruba) (config-airgroupservice) # autoassociate apfqln <AP-fqln-String>

 

Configuration GUI – Device level Auto-associate

 

 

 

GUI-Service level Auto-associate

 

 

 



Verification


Debugging commands

Enable mdns logging using the following commands -

    #logging level debugging user process mdns
    #logging level debugging system process mdns

 

  • Command to see policy entries

 

 

  • Command to see service level  Auto-assciate

 

 

  • Command to see records of each of the airgroup servers and the buckets (AP name/FQLN) in which they fall into

This command shows the AirGroup devices fall into different buckets based on the controller based policies. 

In this example, the AirGroup device (10.70.21.32) is configured under AP bucket. 

This bucketing mechanism also helps with the scalability. With AOS v6.4.3, the scalability in terms of number of AirGroup users and servers has been increased to the platform limit of the controller. For example, for 7240 controller, number of AirGroup users and servers is 32K (max #of clients to be supported by 7240 controller). Fetching an entry for AirGroup device from the cache entries (with this increased scalability) was a challenge. This bucketing mechanism helps finding clien entries belonging to a specific bucket and fetching from the entries in that bucket.

 

 

Few additional commands to find log files and tech-support. 

#Show airgroup servers verbose
#Show log user all
#Show log system all
#Show tech-support <file-name>

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎07-16-2015 03:43 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.