Controller based AirGroup Policies
By default all AirGroup servers are visible to every AirGroup user.
- This features enables configuring policies on controller for AirGroup servers to limit the visibility of AirGroup servers to destined AirGroup users. Admin is allowed to configure shared user-list, shared role-list and shared group-list for each AirGroup server to limit this server’s visibility to intended AirGroup users.
- The group-list is the same as the group defined in Active directory.
- These configurations were done in CPPM prior to v6.4.3, now it is extended to the controller.
- Auto-association feature helps with visibility of an AirGroup server If it needs to be seen by a broader area. This feature enables attaching an AirGroup server to an AP-name, AP-group or AP-FQLN and any AirGroup users associated to that AP-name etc. will be automatically see those AirGroup Server.
- Auto-association feature can be applied at AirGroup Service level as well – AirPlay etc. All AirGroup Servers advertising that service will be seen by AG users associated to that AP-name/AP-group/AP-FQLN.
- Use case – In a multi-floor building, if you want users in Floor-10 to have access to a printer in Floor-10. You can define location based policy and attach the printer to an AP-group for floor-10 and users belonging to that AP-group will be able to access that printer.
Controller based AirGroup Policies
- Policies can be configured on the controller to limit the visibility of AirGroup servers to destined AirGroup users
- Policies can be configured based on shared user-list, shared role-list and shared group-list
- Location based policies for AirGroup devices can be configured based on ap-name, ap-group and ap-fqln
- This was done in CPPM prior to v6.4.3
- Enables AG users to discover AG servers based on
- AP or its neighbours
- Auto-associate can be enabled at Airgroup Server
- Airgroup Service level (Airplay etc)
This configuration defines a policy for AG server based on its MAC address and share this server among list of users, role, group and location.
- Mac Address Based Policy Configuration
(config) #airgroup policy <AG-Server-mac>
- Configuration – Shared user list
Configuration to add/remove users in an shared user-list.
Configuring shared user-list
(Aruba) (config-airgroup-policy) #userlist ?
Adding a user-name:
(config-airgroup-policy) #userlist add Bob
Deleting a user-name from the shared user-list:
(config-airgroup-policy) #userlist remove Bob
Deleting the entire shared-user list:
(config-airgroup-policy)# no userlist
- Configuring Shared user-role
(Aruba) (config-airgroup-policy) #rolelist ?
Adding a shared-role:
(config-airgroup-policy) #rolelist add <name-string>
Deleting a role from the shared role-list:
(config-airgroup-policy) #rolelist remove <name-string>
Deleting the entire shared-role list:
- Configuration – Shared user group
Configuring shared user-group
(config-airgroup-policy) #grouplist add <name-string>
Removing a shared user-group
(config-airgroup-policy) #grouplist remove <name-string>
Disable user-group based sharing
(config-airgroup-policy) #no grouplist
- Configuration – Shared location
Configuring shared location
(config-airgroup-policy) #location ?
- Adding an ap-group to shared-location
(config-airgroup-policy) #location ap-group bldg1
- Deleting an ap-group to shared-location
(config-airgroup-policy) #location ap-group remove bldg1
- Enabling location auto-association for ap-group
(config-airgroup-policy) #location ap-group auto
Service level Auto-associate
Configure Auto-association based on AirGroup Service based for AP-name, AP-Group and AP-location. Users associated to AP-name/AP-group/AP-FQLN will automatically see all Airgroup servers that advertise the AG service.
(Aruba) (config) #airgroupservice ?
STRING AirGroup Service
(Aruba (config) #airgroupservice airplay
apfqln Auto tag with AP FQLN
apgroup Auto tag with AP Group
apname Auto tag with AP Name
(Aruba) (config-airgroupservice) #autoassociate apname <AP-Name-String>
(Aruba) (config-airgroupservice) #autoassociate apgroup <AP-Group-String>
(Aruba) (config-airgroupservice) # autoassociate apfqln <AP-fqln-String>
Configuration GUI – Device level Auto-associate
GUI-Service level Auto-associate
Enable mdns logging using the following commands -
#logging level debugging user process mdns
#logging level debugging system process mdns
- Command to see policy entries
- Command to see service level Auto-assciate
- Command to see records of each of the airgroup servers and the buckets (AP name/FQLN) in which they fall into
This command shows the AirGroup devices fall into different buckets based on the controller based policies.
In this example, the AirGroup device (10.70.21.32) is configured under AP bucket.
This bucketing mechanism also helps with the scalability. With AOS v6.4.3, the scalability in terms of number of AirGroup users and servers has been increased to the platform limit of the controller. For example, for 7240 controller, number of AirGroup users and servers is 32K (max #of clients to be supported by 7240 controller). Fetching an entry for AirGroup device from the cache entries (with this increased scalability) was a challenge. This bucketing mechanism helps finding clien entries belonging to a specific bucket and fetching from the entries in that bucket.
Few additional commands to find log files and tech-support.
#Show airgroup servers verbose
#Show log user all
#Show log system all
#Show tech-support <file-name>