Security

Reply
Contributor I
Posts: 36
Registered: ‎10-27-2007

AirGroup without ClearPass

[ Edited ]

We've evaluated ClearPass before and found it a unsuitable for our needs vs running FreeRADIUS ourselves and writing unlang based policy rules with SQL checks and LDAP/AD.  

 

We're interested in deploying AirGroup in the following way:

 

We'd like to set up by default that users can only see devices owned by the same user.

 

Additionally we'd like to set up an SQL table which each row defining a pairing of role and MAC address where if you're in the role and in the same building then you can additionally see the device associated with the MAC address in addition to your own devices.

 

 

My understanding is the CleanPass integration with AirGroup occurs over RADIUS.  I see FreeRADIUS has added the following attributes to the aruba dictionary file:

 

Aruba-CPPM-Role

Aruba-AirGroup-User-Name

Aruba-AirGroup-Shared-User

Aruba-AirGroup-Shared-Role

Aruba-AirGroup-Device-Type

 

Is there documentation on how to populate those fields?

 

I'd rather not have to spend time figuring this out from packet captures from a trial version.

 

Thanks.

 

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: AirGroup without ClearPass


blocke wrote:

We've evaluated ClearPass before and found it a unsuitable for our needs vs running FreeRADIUS ourselves and writing unlang based policy rules with SQL checks and LDAP/AD.  

 

We're interested in deploying AirGroup in the following way:

 

We'd like to set up by default that users can only see devices owned by the same user.

 

Additionally we'd like to set up an SQL table which each row defining a pairing of role and MAC address where if you're in the role and in the same building then you can additionally see the device associated with the MAC address in addition to your own devices.

 

 

My understanding is the CleanPass integration with AirGroup occurs over RADIUS.  I see FreeRADIUS has added the following attributes to the aruba dictionary file:

 

Aruba-CPPM-Role

Aruba-AirGroup-User-Name

Aruba-AirGroup-Shared-User

Aruba-AirGroup-Shared-Role

Aruba-AirGroup-Device-Type

 

Is there documentation on how to populate those fields?

 

I'd rather not have to spend time figuring this out from packet captures from a trial version.

 

Thanks.

 


That is not possible.  There is a great deal more into CPPM airgroup than just radius attributes and SQL.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 36
Registered: ‎10-27-2007

Re: AirGroup without ClearPass

 

So what exactly does CPPM airgroup do that can't be done with a RADIUS server and writing your own script?  The documentation is a tad too detail free for my liking.

 

Thanks.

 

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: AirGroup without ClearPass


blocke wrote:

 

So what exactly does CPPM airgroup do that can't be done with a RADIUS server and writing your own script?  The documentation is a tad too detail free for my liking.

 

Thanks.

 


I think you are a good candidate for a briefing from your Aruba Sales person. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 36
Registered: ‎10-27-2007

Re: AirGroup without ClearPass

 

Oh boy oh boy oh boy!  :smileyhappy:

 

Thanks.  I'll ping the respective party when I get a moment.

 

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: AirGroup without ClearPass

Feel free to read this explanation of Airgroup Capabilities here:  http://www.arubanetworks.com/pdf/technology/TB_AirGroupWLANServices.pdf

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 28
Registered: ‎06-03-2013

Re: AirGroup without ClearPass

 

I feel your pain, blocke! We're in the same boat. We're investigating how to have similar functionality as Airgroup/ClearPass without ClearPass and it's ridiculous license fees. 

 

We own and currently are using it for radius authentication but don't feel good about paying so much for a repackaged open source solution.

 

Luckily for us, the requests for Airgroup functionality have decreased since Apple introduced the Bluetooth discovery mechanism. 

 

Fred

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: AirGroup without ClearPass

If you already own it and are using it for RADIUS, why don't you use it for AirGroup? There are no additional licenses.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 28
Registered: ‎06-03-2013

Re: AirGroup without ClearPass

The ridiculous license fees I mentioned are for everything else. It gets a bit expensive when you're dealing with up to 92,000 unique devices per day. And the only way to increase CPPM licenses is to buy another server? There's a hard max of 25K licenses per server.

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: AirGroup without ClearPass

But my question is, if you are already using CP as your radius server, why not enable the AirGroup functionality?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: