Security

Reply
MVP

AirGroup in ArubaOS 6.3

Could somebody explain how the role/location restrictions work for shared resources defined in Clearpass.

 

I have been testing AirGroup with Clearpass used for device registration and the role and location restrictions on devices seem a bit hit and miss. My understanding is that the restrictions have an 'AND' logic so if you place a role and location restriction on the user must have the specified role and be in the specified location. Is this correct?

 

Also, how does the individual AP-Name location restriction work? I have added a shared resource of an Apple TV and added a single AP to the shared locations. Does this then mean anybody on that AP only can access the resource or does it also include the AP that the Apple TV is associated to?

 

Any advice would be greatly appreciated.

Thanks


David

David
ACDX #98 | ACMP | ACCP

Re: AirGroup in ArubaOS 6.3

Hi David,

 

For the AP name, please see below:

 

•AP-Group – All users connected to APs in this ap-group can access the shared device.
•AP FQLN – All users connected to APs in the same floor or to APs on a floor above or below the shared device can access it.
•AP-Name – All users connected to same AP or to one hop RF neighbors can access the shared device.
 
If you are using the FQLN - 
For location-based access, the AP FQLNs (Fully Qualified Location Name) should be configured in the following format:
•“<ap name>.<floor name>.<building>.<campus>”.
•The floor name should be specified as floor <number>
•The AP name should not contain any periods ( . ).
•Eg: AP105-1.Floor 1.TowerD.Aruba
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba Employee

Re: AirGroup in ArubaOS 6.3


dg27 wrote:

Could somebody explain how the role/location restrictions work for shared resources defined in Clearpass.

 

I have been testing AirGroup with Clearpass used for device registration and the role and location restrictions on devices seem a bit hit and miss. My understanding is that the restrictions have an 'AND' logic so if you place a role and location restriction on the user must have the specified role and be in the specified location. Is this correct?

 

Also, how does the individual AP-Name location restriction work? I have added a shared resource of an Apple TV and added a single AP to the shared locations. Does this then mean anybody on that AP only can access the resource or does it also include the AP that the Apple TV is associated to?

 

Any advice would be greatly appreciated.

Thanks


David


Here is a couple of things to keep in mind:

 

  1. AP-Name is not exclusive to that specific AP. What I mean by this is the controller does a sort of 'show ap arm neighbors' to find the nearby APs around the AP-Name that you have entered. So, as long as you are in that area, you can see the AppleTV (assuming other conditions are met).
  2. Here is a breakdown of how the conditions work: (Shared Location AND Shared Role) OR (Shared Location AND Shared User). What this means is that you could have ATV1 with a shared location of AP1 and a shared role of employee. Only employee role users in the area of AP1 would see ATV1. However, if you added a shared user student1 in addition to those conditions, then any employee in the area of AP1 would be able to see ATV1 and student1, if student1 was in the area of AP1, would be able to see ATV1.
  3. If you upgrade to ClearPass 6.1, we give you the multi-selection tool for locations and roles (so you don't have to worry about the format of AP-Name). We pull this information directly from the controllers.

 

#1 is a very important concept. In a dense environment, you cannot guarantee which AP the user is going to connect to. This AP area feature makes setup much easier. You don't have to add every possible AP that the user could be connected to.

 

As far as your question about the AP that the Apple TV is connected to: no, only if that AP is in the area of the AP-Name. In fact, we really don't care where the Apple TV is connected. Even though the restrictions are set for the MAC address of the Apple TV, we are enforcing those restrictions on the client connection. My favorite example for this is that you could have an Apple TV in Paris and the shared location be in New York. As long as the controller in NY sees Apple TV in Paris (think L2 to an untrusted port on the controller in NY or an AP terminating on the controller in NY), then only the people in NY would be able to Airplay to the Apple TV in Paris (assuming the location was set to an AP in NY).

 

Hope this makes sense. Also, keep in mind that you do not need to disable drop broadcast/multicast on the controller, in order for AirGroup to work. In fact, I recommend dropping broadcast/multicast, especially in dense environments.

Thanks,

Zach Jennings
MVP

Re: AirGroup in ArubaOS 6.3

Thanks to both SethFiermonti and zjennings for your answers, they help greatly.

 

I was coming unstuck with the APs in the RF neighbourhood of the AP specified.

 

I am indeed using Clearpass 6.1 and the lookup tools are great.

 

Thanks again

 

David

David
ACDX #98 | ACMP | ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: