How to configure Controller based AirGroup Policies & Auto-association ?

Aruba Employee
Requirement:


By default all AirGroup servers are visible to every AirGroup user. This features enables configuring policies on controller for AirGroup servers to limit the visibility of AirGroup servers to destined AirGroup users.  Admin is allowed to configure shared user-list, shared role-list and shared group-list for each AirGroup server to limit this server’s visibility to intended AirGroup users.

The group-list is the same as the group defined in Active directory. These configurations were done in CPPM prior to v6.4.3, now it is extended to the controller

 

 



Solution:

AirGroup Policy

 

  • Policies can be configured on the controller to limit the visibility of AirGroup servers to destined AirGroup users
  • Policies can be configured based on shared user-list, shared role-list and shared group-list 
  • Location based policies for AirGroup devices can be configured based on ap-name, ap-group and ap-fqln


Auto-association

  • Enables AG users to discover AG servers based on 
  1. AP or its neighbours
  2. AP-Group
  3. AP-FQLN
  • Auto-associate can be enabled at AG Server
  • AG Service level (Airplay etc)


Configuration:

This configuration defines a policy for AG server based on its MAC address and share this server among list of users, role, group and location

Mac Address Based Policy Configuration

   (config) #airgroup policy <AG-Server-mac>


    (config-airgroup-policy) #?
    userlist
    rolelist
    grouplist
    location 
    no

Configuration – Shared user list

  • Configuration to add/remove users in an shared user-list.


Configuring shared user-list
    (Aruba7240) (config-airgroup-policy) #userlist ?
Adding a user-name:
   (config-airgroup-policy) #userlist add Bob          
Deleting a user-name from the shared user-list:
   (config-airgroup-policy) #userlist remove Bob       
Deleting the entire shared-user list:
   (config-airgroup-policy)# no userlist                                                    

 


Configuration – Shared user role

  • Configuration to add/remove an user-role in an shared role-list.

Configuring Shared user-role 
  (Aruba7240) (config-airgroup-policy) #rolelist ?

 

Adding a shared-role:

(config-airgroup-policy) #rolelist add <name-string>             

 Deleting a role from the shared role-list:
  (config-airgroup-policy) #rolelist remove <name-string>       

Deleting the entire shared-role list:
  (config-airgroup-policy) #no 

 

Configuration – Shared user group

  • Configuration to attach an AirGroup server to user groups.
  • User group is defined in active directory. 

 

Configuring shared user-group
  (config-airgroup-policy) #grouplist add <name-string>             

Removing a shared user-group
  (config-airgroup-policy) #grouplist remove <name-string>      
 
Disable user-group based sharing 
  (config-airgroup-policy) #no grouplist

 


Configuration – Shared location

 

  • Configure shared location based on AP-name, AP-group and AP-FQLN.
  • If you are configuring an AG server based on AP-name, AG devices attached to one hop neighbor of the AP will also be able to see AG Servers.

 

 Configuring shared location


   (config-airgroup-policy) #location ? 
    ap-group
    ap-fqln
    ap-name
    no

 

Configuration – Auto-association:

 

  • Configure Auto-association for an AG server based on AP-name, AP-Group and AP-location. Users associated to AP-name/AP-group/AP-FQLN will automatically see thet AG Server.  


Adding an ap-group to shared-location
(config-airgroup-policy) #location ap-group  bldg1                     

Deleting an ap-group to shared-location
(config-airgroup-policy) #location ap-group remove bldg1            

Enabling location auto-association for ap-group
(config-airgroup-policy) #location ap-group auto

Service level Auto-associate

Aruba7240) (config) #airgroupservice ?
    STRING                  AirGroup Service


(Aruba7240) (config) #airgroupservice airplay


(Aruba7240) (config-airgroupservice)#autoassociate
    apfqln                  Auto tag with AP FQLN
    apgroup                 Auto tag with AP Group
    apname                  Auto tag with AP Name
(Aruba7240) (config-airgroupservice) #autoassociate apname <AP-Name-String>
(Aruba7240) (config-airgroupservice) #autoassociate apgroup <AP-Group-String>
(Aruba7240) (config-airgroupservice) # autoassociate apfqln <AP-fqln-String>

 


Configuration GUI – Device level Auto-associate

 

 

 

 


Configuration GUI – Service level Auto-associate

 

 

 



Verification

Configuration GUI – Service level Auto-associate

  • Enable mdns logging using the following commands -

    #logging level debugging user process mdns
    #logging level debugging system process mdns


Command to see policy entries

  • This command shows policy entries for controller based policies. It shows the policy defined for a perticular AirGroup device. 

In this above example, the device is mapped to AP-group based policy. 

 

Command to see service level  Auto-assciate

 

 

Command to see records of each of the airgroup servers and the buckets (AP name/FQLN) in which they fall into

 

Debugging commands


Show airgroup servers verbose
Show log user all
Show log system all
Show tech-support <file-name>

 

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎06-10-2015 05:56 AM
Updated by:
 
Labels (1)
Contributors
Comments
chilihead

Hello,

 

it seems that the AG policy feature don´t work with Apple TV generation V4, I can see Apple TV devices which have been assigned to a specific AP-group also on AP´s of a different AP-group. With older generations it works fine.

Is this a known issue?

 

Thanks,

Robert

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.