Higher Education

Currently, we're basically dealing with it and supporting the faculty as best we can for the use of a non-enterprise product in an enterprise environment.  Forcing those that insist on using it to apply a password on the device.   Then we warn them repeatedly that everyone in the building with an Apple device can see that ATV, and if they fail to secure it, we're not responsible for what ends up on the screen in the middle of their class.

That's correct.  We've assigned two /22 blocks for wireless (One for an SSID using WPA2 Enterprise, the other is for an open SSID secured via Captive Portal) to each of our buildings, and everyone in the building shares the same space.

We have had major issues getting Apple TV to work in our school - it is almost a year now and we have made a lot of progress with Aruba but are still not there yet.

As you mention - one vlan with broadcast turned on (that is Bonjour enabled) and it works fine. But this goes against good network design. We have multiple VLANS and drop broadcast and multicast - so the first issue was even getting the Apple TV's to show up.

Also - bonjour does not work across a NAT'd subnet  - another thing to watch out for...

Anyway - when Airgroup was released we thought we had found the answers to all our issues. But their initial release failed to mention that it didn't;t support multiple controllers - so we (our vendor and eventually Aruba) spent weeks trying to work out why it wouldn't.

Eventually the word filtered down from the US that multi controller would be supported in the next firmware release.

Great - no issues - at least we know why. So Apple TV now does work - but because we want to roll out 100 of them across campus - we needed a solution to restrict who could see what - Clearpass!!

Yes - clearpass advertises quite clearly that it supports restrict airplay devices by user and or locations. Perfect - we have clearpass already so let's go for it. Nope...Can't get it to work. Again over a week with engineers on site to finally tell us the issue is that it doesn't work with VRRP - only LMS.  Really??? REALLY??? Why is this not written on the box? Anyway - again - look at the big picture and if they have finally worked out why and we need to use LMS instead of VRRP then OK.

Implement the first restriction to limit the Year 6 Apple TV's to only be seen by clients on the Year 6 105 AP's and it sort of works. Sometimes you cannot see them other times you can...it is anything but stable.

Over 2 weeks now and they still do not have a solution. To their credit they are obviously not giving up and agree that it should work - but still struggling to work out why.

As an aside  - with the latest update in Apple TV you can now have the APple TV prompt for an onscreen random password each time you connect. This means that only people in the room who can see the screen can therefore see the password and connect.

This is better for us than having to remember static passwords and manage the issues if they leak. Also - as the kids are still on a NAT'd "guest" vlan they can't connect anyway - only the teachers on the internal vlan...but that is another thing we need to address....sigh.....

AirGroup is only officially supported in ArubaOS 6.3.0.0, which was released a couple of weels ago for Early Deployment.

I guess you ewere using the alpha & beta versions in a Production environment. You can expect problems when you do that.

Aruba should not announce new features that are nowhere neear ready for Production. AirGroup was officially announced at AirHeads 18 months before all the needed software ras released. This is unacceptable! 

Actually, I believe Apple said that AirPlay would work in the enterprise before Aruba announced AirPlay. A petition from the EDUCAUSE WLAN fgroup, along with other pressures, caused Apple to propose some mDNS enterprise extensions.  There is an IETF working group working on the details. If implemented, solutions such as AirGroup could become obsolete.

Bruce

Are you able to point me to where it says Airgroup is only officially supported on 6.3.0.0?

At no time have we been advised that Airgroup is in beta mode.... this is what we have been told direct from TAC several months ago,,

"Airgroup 6.1.3.4 is not supported on multiple controllers in integrated mode"

We are being advised to update to 6.1.3.6-airgroup, which was just released last week which does support this.

We were advised that the airgroup feature would be rolled up into the main firmware release in due course - but never advised that it was not fit for production.

I would never knowingly use beta products in a production environment - and if so I need to follow this up with Aruba.

Wally

I may have misspoke.

Aruba "forked" their code to develop AirGroup as a Technology Preview,, but AirGroup is fully integrated in the main OS tree in 6.3.0.0. The Technology Preview is not generally current. Notice the latest Airgroup version is 6.1.3.6, but the latest Aruba OS General Availability versions are 6.1.3.9&  6.2.1.2.

The Early Deployment 6.3.0.0 is available for early adopters.