Security

I'm trying to implement airgroup with CPPM for Apple TVs.  It appears that the default clearpass airgroup service is geared toward apple TVs being on student networks or .edu environments with mac auth.  My Apple TVs are located in conference rooms and are on the corporate network using PEAP (profile loaded onto apple tv).  Is it still possible to use CP to limit who can see an Apple TV when it's on a PEAP network by changing the airgroup service?

 

Thanks

The AirGroup service should not be touched.

 

It doesn't matter which SSID the device or user is connected to as long as AirGroup is enabled.

 

The device authentication itself would be handled just like a user.

 

You'll need to setup the AirGroup integration in ClearPass guest by adding the controllers. Then you'll have to register the AppleTVs under "Create New Device" and then Enforce AirGroup registration on the controller.

Thanks Tim, I have setup the integration between the controller and clearpass.  I set the device in clearpass to only be shared to a certain role. Now I do not see airplay as an option on my iOS device.

Please run:

 

show airgroup cppm entries
show airgroup policy-entries

show airgroup cppm entries

ClearPass Guest Device Registration Information
-----------------------------------------------
Device             device-owner  shared location-id AP-name  shared location-id AP-FQLN  shared location-id AP-group  shared user-list  shared role-list  CPPM-Req  CPPM-Resp
------             ------------  --------------------------  --------------------------  ---------------------------  ----------------  ----------------  --------  ---------
18:ee:69:18:b9:07  N/A                                                                                                                  authenticated     45        1
                                                                                                                                        Employee
Num CPPM Entries:1

The “show airgroup policy-entries” isn’t a valid command on my controller.  

 

The “show airgroup policy-entries” isn’t a valid command on my controller.  I’m still running 6.3.x on my controller

Are you seeing AirGroup Authorization messages for the ATV MAC address?

Yes, I see them in the access tracker.

 

msales,

 

Did you do any airgroup configuration on the ClearPass Guest side?  If you have CPPM enforcement enabled, that configuration will supersede what you have configured on the controller side.

I add the controller under the airgroup settings in CP guest and also added the apple TV has a device

Thanks

Matt Sales
Network Engineer II
Centra Health
434-200-5574





Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

Do you have a screenshot for the configuration of that AppleTV in cppm?

 

That looks right.  Did you read the roles from the controller, or did you type them in?  If you "read" them, that is good.

I am assuming you have "Enforce CPPM" enabled?  If you do, good.

 

Turn on mdns debugging:

 

logging level debugging user process mdns subcat message
logging level debugging system process mdns subcat message
logging level debugging security process mdns subcat message

 

Try to connect or browse, then type "show log security 50" to see if you see any messages related to that device.

 

I "read" the roles into the config. I will try the debugging tomorrow when Im back in the offices (east coast time) and report back.

Thanks






Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

Colin, I finally got all of this going.  The only issue I have now is I have tied the device to a shared role and a shared location (a single AP).  The role piece is working as I can only see airplay if I'm in that role, however;  If i'm on a different AP other than what is specified in the shared location I can still see airplay as an option and mirror my screen

 

Any ideas?

If you are on that access point, or an adjacent access point, you should still be able to see it. Imagine if you were in a room, but happened to be on an access point in another room; you would still need to be able to see that Apple TV.

I guess I'm looking at the setting wrong?  I was under the impression you would need to list all APs that a client would need to be on to see that airplay device.  That way you wouldn't get a long list of Apple TVs only the ones in the vicinity.

Please look here:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Integrated_Deployment_Model.htm%3FTocPath%3DAirGroup%7C_____2

"When the location is set to ap-name, all AirGroup users connected to this AP and other APs that are in the same RF neighborhood can access the shared device."

 

If you read the whole chapter below, it will answer all of your questions:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Introducing_Aruba_AirGroup.htm%3FTocPath%3DAirGroup%7C_____0

 

There are commands, troubleshooting and configuration information that you would need to deploy