Security

Reply
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Aruba Airgroup VSA information

Having got basic Airgroup functionality up and running (can limit visibility based upon shared AP or AP group)  I'm now wanting to control who can see/access what based upon a clearpass user role of some sort.  Looking at the Aruba RADIUS VSA list I can see attributes such as

 

Aruba-Airgroup-Shared-Role

Aruba-Airgroup-Shared-User

Aruba-Airgroup-Shared-Group

and

Aruba-CPPM-Role

 

And some of them are used in the default Airgroup Shared device profile.

 

so I guess these are the ones I configure to pass info back to the controller.

 

Info on CPPM / Airgroup integration seems to be a bit sparse ( there's info on how to set up cppm guest to manage personal Airgroup access and how to define groups that a shared device is in,but not on how to set up shared airgroup access from the clearpass client device perspective, e.g.

If I set up an apple TV to be accessible by everyone in "Faculty of maths" when defining it in clearpass guest, hoe do I pass back info from clearpass to enable group access from the personal devicepoint of view?. Do I do it in a copy of  [AirGroup Personal Device] profile and add a shared role that says "you can access everything shared in faculty of maths"  I've seen a lot of pretty diagrams that show what you do logically, just not an actual real example of how to set it up.

 

Rgds

Alex

 

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Aruba Airgroup VSA information

The most scalable method is to use the user-roles. You can select the user-roles that are allowed to see the device in the AirGroup registration form. You should never modify the AirGroup service on the policy manager side.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: Aruba Airgroup VSA information

Hi,

o.k So I ( or an admin) creates a "role" for "Faculty of maths" ( how do you create new roles? you get guest, employee,contractor by default? ) and associates it with a shared apple tv device. At the same  time I can nail things down a bit more by saying its only accessible from a group of APs.

 

When a User comes along and registers a personal device, they too see the drop down account role list. Doesn't that mean that anyone can come along and say "I feel like being in Faculty of Maths today, so I can play with that Apple TV?

 

Would it not be better to just let the user register their device and have cppm automagically assign them to an associated role ( e.g. if user is member of AD group "Faculty of Maths" then .....

 

Or am I missing something?

A

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Aruba Airgroup VSA information

Controller roles

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 10
Registered: ‎01-21-2016

Re: Aruba Airgroup VSA information

[ Edited ]

@cappalli I too am wanting to make use of shared-groups. I found page 1011 in the ArubaOS 6.4.x Quick Start Guide somewhat helpful (Section called "Group-Based Device Sharing"). I also tried to work through this with phone support, but didn't get far. I tried pushing the "Aruba-AirGroup-Shared-Group (35)" attribute along with "Aruba-User-Role (1)" in my CPPM Enforcement Policy to the controller. The Role works fine, but the shared group doesn't appear to get passed on as it is absent from the group column from my user on the controller CLI output of `show airgroup users`. I understand I should be able to send the comma-separated list of groups and later make use of that with my airgroup server device configuration in the guest module. I don't get that far though because I can't get my user(s) into shared user group(s). Using roles as suggested means I can only have a user in a single grouping for access as outlined in the User Guide. The example given of putting a user in the Mathematics group and the airgroup server in the same group makes a lot of sense, but doesn't explain how to push the VSA (hopefully I can manually define as described in CPPM) other than it comes from the auth module. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: