03-01-2016 07:30 AM
Having got basic Airgroup functionality up and running (can limit visibility based upon shared AP or AP group) I'm now wanting to control who can see/access what based upon a clearpass user role of some sort. Looking at the Aruba RADIUS VSA list I can see attributes such as
And some of them are used in the default Airgroup Shared device profile.
so I guess these are the ones I configure to pass info back to the controller.
Info on CPPM / Airgroup integration seems to be a bit sparse ( there's info on how to set up cppm guest to manage personal Airgroup access and how to define groups that a shared device is in,but not on how to set up shared airgroup access from the clearpass client device perspective, e.g.
If I set up an apple TV to be accessible by everyone in "Faculty of maths" when defining it in clearpass guest, hoe do I pass back info from clearpass to enable group access from the personal devicepoint of view?. Do I do it in a copy of [AirGroup Personal Device] profile and add a shared role that says "you can access everything shared in faculty of maths" I've seen a lot of pretty diagrams that show what you do logically, just not an actual real example of how to set it up.
03-01-2016 07:45 AM
The most scalable method is to use the user-roles. You can select the user-roles that are allowed to see the device in the AirGroup registration form. You should never modify the AirGroup service on the policy manager side.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
03-01-2016 08:17 AM
o.k So I ( or an admin) creates a "role" for "Faculty of maths" ( how do you create new roles? you get guest, employee,contractor by default? ) and associates it with a shared apple tv device. At the same time I can nail things down a bit more by saying its only accessible from a group of APs.
When a User comes along and registers a personal device, they too see the drop down account role list. Doesn't that mean that anyone can come along and say "I feel like being in Faculty of Maths today, so I can play with that Apple TV?
Would it not be better to just let the user register their device and have cppm automagically assign them to an associated role ( e.g. if user is member of AD group "Faculty of Maths" then .....
Or am I missing something?
09-20-2016 12:02 PM - edited 09-20-2016 02:09 PM
@cappalli I too am wanting to make use of shared-groups. I found page 1011 in the ArubaOS 6.4.x Quick Start Guide somewhat helpful (Section called "Group-Based Device Sharing"). I also tried to work through this with phone support, but didn't get far. I tried pushing the "Aruba-AirGroup-Shared-Group (35)" attribute along with "Aruba-User-Role (1)" in my CPPM Enforcement Policy to the controller. The Role works fine, but the shared group doesn't appear to get passed on as it is absent from the group column from my user on the controller CLI output of `show airgroup users`. I understand I should be able to send the comma-separated list of groups and later make use of that with my airgroup server device configuration in the guest module. I don't get that far though because I can't get my user(s) into shared user group(s). Using roles as suggested means I can only have a user in a single grouping for access as outlined in the User Guide. The example given of putting a user in the Mathematics group and the airgroup server in the same group makes a lot of sense, but doesn't explain how to push the VSA (hopefully I can manually define as described in CPPM) other than it comes from the auth module.