Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Airgroup + Clearpass Enforce Registration

I am slightly confussed about the airgroup functionality.  We have had it running without the clearpass tie in allowing users to just access everything.  We would like to starting using the clearpass piece but only somewhat selectivly.  For example, if student puts and apple tv in there dorm room i want it to connect and be visible to everyone.  But I want the ability to let them register it and then share it with there roomates or soemthing.  Basically i want to allow things work as they do now, but give people control if they want it. I was told it does not work this way, but then i found this section of the Airgroup guide which seems to say otherwise.

 

The AirGroup solution allows users to view all mDNS devices by default.AirGroup provides a set of policy definitions to allow or disallow one of more AirGroup servers from being visible to specific AirGroup users. If an AirGroup server is not registered on a CPPM server, by default, the server will be visible to all AirGroup users. The administrator has to register an AirGroup server to allow or disallow this server from being visible to specific AirGroup users. The following procedure registers an AirGroup server on a CPPM server:

 

When i enable "AirGroup CPPM enforce registration"  all devices disapear  from my airplay list.  It does not matter if i register and share the device in clearpass or not.  

 

With "AirGroup CPPM enforce registration" disabled, i see every device but the sharing rules in clearpass still dont have any effect.

 

I worked with an engineer to configure clearpass for this, so its added as a aigroup AAA server and as an RFC 3576 server.  I saw log entries for airgroup as soon as i added them in there, so i believe they are talking correctly. so....

 

1.  Can I do what i am trying to do?

2. How do i get it to do that?

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airgroup + Clearpass Enforce Registration

You can't do hybrid. If you enforce registration, all AirGroup server devices need to be registered. The device registration portal is designed for end users to register their own devices.

Devices registered as personal will always be visible to the person who registered them. They can optionally share it with up to 10 people.

If the device is registered as shared and no other restrictions are added, everyone in the AirGroup domain can see the devices.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Airgroup + Clearpass Enforce Registration

And that is why i am confused.  This line from the guide seems to indicate otherwise:

Quote:

If an AirGroup server is not registered on a CPPM server, by default, the server will be visible to all AirGroup users.

/quote

 

That sounds exactly like what i want.  Visible to everyone unless i specify otherwise.  If the system truly cannot do that it seems to be a glaring flaw to me.....

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airgroup + Clearpass Enforce Registration

That is not correct.

If the device is not registered, the advertisements will not be proxied. It's to stop users from seeing hundreds of devices.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Airgroup + Clearpass Enforce Registration

So you are saying the guide is incorrect?  or am i reading it wrong?

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airgroup + Clearpass Enforce Registration

I think there may be a mistake in the guide. What code are you running?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Airgroup + Clearpass Enforce Registration


mwallen wrote:

So you are saying the guide is incorrect?  or am i reading it wrong?


mwallen,

 

Please let us know if you have a link to that guide so we can check it out.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Airgroup + Clearpass Enforce Registration

My controler is on 6.4.2.3, and clearpass is on  6.5.0.71095

 

The guide i am referencing is:

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/15478/1/ArubaAirGroup-6136-DG.pdf

 I looked in the downloads section and this is the newest version of this guide.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airgroup + Clearpass Enforce Registration

That document is EXTREMELY old and is for the old AirGroup technology
release of code.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Airgroup + Clearpass Enforce Registration

Unfortunately the same language is in the new 6.4.3.x userguide here:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/AirGroup_CPPM_Interface.htm%3FTocPath%3DAirGroup%7C_____3

 

We will check it out and correct it, but I do not think the way that it is stated is accurate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: