Security

Good Afternoon,

     I have a client with a large campus enterprise with Aruba Networks wired and wireless hardware with ClearPass.  The client has upgraded all hardware and ClearPass to the latest revisions.

      We want to assist them in putting in AppleTV's in their conference rooms.  The client wants to limit the Apple TV's AirPlay exposure to only two or three AP's that are nearest to the conference room.  Also, they have a very developed MS Active Directory with users assigned to groups.  The conference rooms are assigned to a specific group like Accounting or IT.  So our client would like to configure AirGroup in ClearPass so Conference Room 5B only sends Bonjour out on the three adjacent Access Points, and since Conference Room 5B is the HR conference room, only members of the HR group can access.

      I've searched like mad for something like this, but can't find any specific documenation in the AirGroup Deployment Guide.  Does anyone have screen shots of this to assist.  I'm positive this is possible on the latest revisions of code.

      Thank you!  

Controllers are on 6.4.x

Switches are on 7.2 or 7.3

ClearPass is on 6.3.2

Full Aruba access solution.

For the location part of your question, when you register the device as "Shared", you'll be presented with a Shared Locations option.

In this box you'll be able to add multiple access points, or entire AP groups which allows you to be very granular.

To answer your question about user access, I just need to know if you already are putting your users into roles on the controller based on AD group.

Yes, we are putting users into roles based on AD Groups, but at this time, not as granular as required.  I'm guessing by the question we need to put in a ClearPass Role that is Conference Room 5B or by HR, etc...  That has to be both a ClearPass Role and also put in the AirGroup Shared Group field on device.

A guestion on the AP's.  So if you go to the AP field, it becomes a pull down and you can select the AP's it should associate to? 

You can kill two birds with one stone by creating more specific user roles on the controller and using those for AirGroup. Even if the firewall policies in those roles are the same, you gain much more flexibility in the future if you want to add restrictions.

When registering the device, simply select the role names in the "Shared Roles" box.

     I'm reading through the latest and greatest AirGroup document, ArubaOS 6.1.3.6-AirGroup.  I'm trying to ascertain what “Shared Groups” are.  Based on your recommendations, we should be going into CPPM and creating roles that can be added to the “Shared Roles” field.  I understand that and it makes sense.  I want to make sure though I understand what the “Shared Groups” field is, and where it pulls its data.  Can you provide a document for that?

     Thank you!  

take a look at page 937 in the attached doc.

Attachment(s)

ArubaOS_6.4_UG.pdf   22.17 MB 1 version

take a look at page 937 in the attached doc.

Attachment(s)

ArubaOS_6.4_UG.pdf   22.17 MB 1 version

ArubaOS_6.4_UG.pdf   22.17 MB 1 version