Security

Reply
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Airgroup restrictions in CPPM not working

Hi:

I've configured Airgroup to share Apple TV's across subnets. I then wanted to configure Clearpass Guest to help restrict device sharing. I entered Clearpass info in the controller's Airplay setings, and I've setup the controller in Clearpass Guest --> Airgroup Services --> Controllers. Clearpass can successfully read the controller's config.

I then added my Airplay server as a device and enabled Airgroup sharing.

 

The problem is that when I login to the network on my iPad, I can see the AppleTV no matter what I do. I've tried restricting it to a user or location that's not in use, but it still shows up on the iPad.

 

Could I be looking at a cache issue? I've issued many 'aaa user delete' commands. I've also tried 'airgroup server-refresh'. Is there anything else that needs to be done after changing airgroup device sharing in Clearpass?

 

I see lots of access requests in Access Tracker being handled by the [AirGroup Authorization Service]. Is this default service all I need, or do I need to define a custom service?

 

Any other ideas on troubleshooting?

Thank You!

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airgroup restrictions in CPPM not working

Is Bluetooth discovery disabled on the ATV?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Airgroup restrictions in CPPM not working

Did you enable "AirGroup CPPM enforce registration" in the AirGroup settings?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Airgroup restrictions in CPPM not working

OK, I'm almost there....

By using 'show airgroup policy entries' I discovered that there

was a policy entry for this server in the CLI that was conflicting with the cppm policy.

I fixed that and now 'show airgroup policy entries' shows CPPM as the source. Lo and behold, the server is no longer visible on the iPad.

This is a good thing.

 

Then I changed the device settings in CPPM Guest to allow sharing with no restrictions again..... but the server does not show up on the iPad.

'show airgroup policy entries' indicates that the controller still thinks the old (restrictive) sharing location/user/role info is in use.

 

How do I refresh the controller's info?

I've tried 'airgroup server-refresh <mac-addr>' but still the old info appears.

 

Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: