Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AirPlay with AirGroup for Guests

This thread has been viewed 3 times

  • 1.  AirPlay with AirGroup for Guests

    Posted Jan 17, 2013 08:21 AM

    Hello,

     

    we are already using AirGroup an AirPlay in our environment but now we have the special requirement that guests should be able to connect to our Apple TV boxes in the conference rooms.

     

    The Guests are usually separated into there own VLAN 98 going out to one interface of the 650 controller to the internet uplink.

    The Apple TV resides in the VLAN 100. Firewall Rules explicitly deny all traffic from guest nets to the internal networks. Additionally I always disable "inter vlan routing" and enable "inter user bridging" and "inter user traffic".

     

    The point is that I'm only able to see AirGroup users from the VLAN 100 if I do a "show airgroup users" and no client (like iPad) from the VLAN 98. But if I do a "show airgroup vlan" I can see that air group is enabled for all VLANs. Why?

     

    And generally: Is AirGroup a "secure" solution to give Guests Access to the Apple TV? Or is it more a way to allow Bonjour accross different subnetworks...?

     

    Thanks in advance,

     

    PAW

     

     



  • 2.  RE: AirPlay with AirGroup for Guests

    EMPLOYEE
    Posted Jan 29, 2013 07:34 PM

    Utimately, what you allow from a protocol and firewall perspective will dictate your security posture.  Airgroup is not a security mechanism and anyone that you don't want talking across VLANs with certain protocols, you should block.  Airgroup does not violate security policy but ensures that users who would not normally see bonjour devices across subnets will then be able to.  if you have port udp 5353 blocked, they will not be able to see regardless.