Q: How the communication between ClearPass and a Controller works for per user per device AirGroup?
A: 1. CPPM learns which controller has given AppleTV association based on one time mac-auth request sent by AirGroup (on AOS) to CPPM when the AppleTV connects to network.
2. If there is a policy change in CPGuest, a change of authorization(CoA) is sent from CPGuest to controller that has AppleTV attached to it. CoA can carry modified shared user list, shared group list, shared role list, shared location etc. as RADIUS VSAs. This CoA modifies the entry for this AppleTV on the controller.
3. In addition, controller detects if there is a change in shared user list in incoming CoA, and if there is change, it sends out mDNS records of this AppleTV to newly allowed users in incoming shared user list. Controller also sends out negative records of AppleTV to users no longer permitted in the incoming shared user list which makes the ATV disappear from such user's device.
If AirGroup is in multi-controller domain, It is expected to work across controllers as well.