Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Bonjour (AirPlay) by device location with CP

This thread has been viewed 1 times

  • 1.  Bonjour (AirPlay) by device location with CP

    Posted Dec 19, 2012 12:12 PM

    Not sure if I'm missing it but I don't know my next step in setting up AirPlay for location-based restrictions.

     

    I'm running 6.3.1.4-AirGroup successfully in an Integrated deployment with CPPM 6.0.1.46054.

     

    I have AirPlay set to only work on two VLANs currently and it seems to work perfectly with the user device registration - where the client device is unable to see the server device (iPhone -> AppleTV) unless I register or share that device with them.

     

    How do I begin to distinguish if a user is in the area?  Does the controller need something setup to send?  Do I start with the ClearPass Policy Manager (I see all the 'AirGroup Authorization Service' accepted logs there)?  Or is that piece in the ClearPass Guest part?

     

    I believe I used to see some information on the controller with show airgroup aps but that only returns Module MDNS Proxy is busy. Please try later for me now.  Even though show process monitor statistics doesn't have any restarts for mdns anymore.  I used to get that Proxy Busy error a lot - but now all the airgroup commands seem to work everytime other than the aps one.



  • 2.  RE: Bonjour (AirPlay) by device location with CP
    Best Answer

    Posted Dec 19, 2012 12:49 PM

    You can use the airgroup_shared_location field to specify location restrictions for the AirGroup sharing.

     

    This field has to have a certain format; see the field help for precise details.  But you should be able to share a device with other users associated with a specific access point (by AP-Name), or with other users associated with a specific group of access points (by AP-Group), or with other users in a specific location (by FQLN).

     

    I believe you will need to set up FQLNs for each AP if you want to use that, or create specific AP Groups if you want to use that method instead.



  • 3.  RE: Bonjour (AirPlay) by device location with CP

    Posted Dec 19, 2012 01:02 PM

    Awesome, totally missed that.  Was thinking 'users' in that area.  I can use ap-group name for my instance then.  I'll give that a shot.



  • 4.  RE: Bonjour (AirPlay) by device location with CP

    Posted Apr 17, 2015 09:39 AM

    Hi

    There are some important issues regarding AirGroup to take into consideration.
    Depending on you deployment you may not run into any of these hard limitations. But in larger environments you may face that Apple have a hard coded limit of 64 AirGroup servers, like Apple TV’s, to be displayed on any Apple device.
    If you have a big building with a lot of Apple TV's it may become inconvenient to use the AP-group as filter for Apple TV visibility. Also assuming a big deployment filtering on AP-group name is not convenient as it will generate a large number of AP groups.

    Instead share the Apple TV to the AP it connects to. From Aruba OS 6.3.3 (?) not 100 % sure of version, AirGroup will create a list of all neighboring AP's.
    This way a user may see the Apple TV if the device is connecting to any AP just one hop away from the AP configured.

    Regards
    Jonas