2 weeks ago
I'm having trouble working with and understanding Shared Locations for a managed printer.
I currently have the printer setup in CPGuest with some shared users for airprint and it is working great, but we want to change from user restriction to location. We want to change it so the printer will only be accessible to people connected to the IAP where the printer is located. This IAP is the only one in its building, but is apart of a cluster from the next building over.
I was hoping the Shared Locations would automatically populate with IAPs names, but it did not. I saw there is some way to do AP-name=name for shared location by modifying the form view, but I want to properly understand how Shared Locations works and the best way to meet my requirement first, if Shared Locations will even meet my requirement.
I appreciate any insight, thank you.
a week ago
Much of the information on Airgroup is in the User Guide for Aruba Instant. It is in its own section: Services - Airgroup.
In that section, it states that Shared Location is not available on Aruba Instant in the current versions:
When AirGroup discovers a new device, it interacts with ClearPass Policy Manager to obtain the shared attributes such as shared location and role. However, the current versions of IAPs do not support the
enforcement of shared location policy.
If I read your expectation correctly that Airgroup works across different clusters, I believe that is not in the current firmware. The Airgroup proxy (and thus visibility) is local to an IAP cluster. An example that is described in the user guide, is where users see printers/devices in their own cluster, which in most cases is what you want. What might work in your case is if you can expose the Airgroup devices that you want to share on the single AP as a L2 (vlan) to that Instant AP. It depends on the network design if that is a solution in your case.
Did this help?
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
a week ago
Thank you for the detailed response. I had been going over the ClearPass guide instead of the Instant user guide. As the instant user guide states the current version doesnt support shared locations, it sounds like it may be coming in a later version. This will be an excellent feature once the IAPs are compatible with it, I'll have to wait until then.
I had thought that when instant is integrated with CPPM, location based enforcement was possible as it states that in the Instant user guide. I might have just not understood the wording correctly.
Creating a separate L2 VLAN for it would work, but isn't currently possible. I won't be able to create a VLAN for this purpose as we have hit the maximum amount of VLANs our infrastructure can support until we make some large changes (planned throughout the coming year). I'm still waiting to deploy a few more IAP clusters but this problem is preventing that as well.
I'll either have to see how many users in that building require access to the printer, if that doesn't pass the shared users limit. Alternativley I can open it up to its cluster if my requirement isn't possible until a later unreleased version.
I have a secondary issue that has been popping up with airprint.
The printers that are using aiprint are accessible for about a week, but then no longer appear in the printer list on airprint capable devices. After rebooting the printer reauthenticates with clearpass and will work for another week.
I think this is either Clearpass timing out the printer, but the printer isn't reauthenticating when it wakes up. Any thoughts?