Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Small problem with Airgroups authorization service

This thread has been viewed 1 times

  • 1.  Small problem with Airgroups authorization service

    Posted Mar 09, 2016 09:39 AM

    Hi,

    I'm looking at  rolling out an airgroup service over our wireless lan. so far I've got 3 controllers running 6.4.3.7 and a couple of AP225's in our building.

    Two SSIDs provide client connectivity

    alexs-airgroup for WPA2-enterprise devices

    alexs-airgroup-psk for WPA2-PSK devices ( with clearpas mac-auth )

     

    Got the airgroup side of things working and I can now chromecast/stream to Apple TVs connected using EAP-TLS ( Apple TVs)  from iPhoe, iPAD and OS X ( screens sharing).

     

    I'm now starting to look at the access rights side of things. At this point I'm ignoring the "end user registering their own devices" scenario and concentrating on the " lecture theatre apple TVs how do I restrict who can access it" scenario.

     

    I'm currently planning on using  a local endpoint attribute to define what is to be inserted in an Radius:Aruba:Aruba-AirGroup-Shared-Group attribute. That way I can match up personal devices with server devices. I've successfully got an authorization service to select the correct enforcement profile based upon an (Endpoint:UoY_Airgroup_Shared_Group EXISTS)  statement.

     

    Problem I've got is when its a private device in that the above statement doesn'y work. Two authorization service conditions with identical conditions except one has the above endpoint statement .... and the device falls through to the catchall one.

     

    I then tried setting up a unique Role (see below - ignore spelling mistake) based upon whether my local attribute is in the endpoint entry and selecting a profile based upon the role existing. Again, this didn't work ( see below). Lomng term I want to be able to pull the shared group assigned to a personal device from AD ( pased upon user auth) and define server devices from endpoint contents

    Rgds

    Alex

     

    Airgroup-Not-Working.png

     



  • 2.  RE: Small problem with Airgroups authorization service

    EMPLOYEE
    Posted Mar 09, 2016 10:00 AM

    AlexSuoy,

     

    If you are looking to restrict or allow airgroup access to devices, that is not how you should be doing it.  On the ClearPass guest side, you need to go to Guest> Manage Devices.  Find the mac address of your device, and then if you want specific users to see that device, add their usernames to "shared with".  If you want this device to only be seen when a user is on or around a specific access point, add that access point to "shared location".

    shared.PNG

     



  • 3.  RE: Small problem with Airgroups authorization service

    Posted Mar 09, 2016 10:23 AM

    Hi,

     

    Yup seen that, played with that and got it working that way. Want something a bit more transparent from the user's point of view and this was a step in that direction. The idea was to set up servers with specific airgroup-shared-group values, e.g. maths dept, building name, etc and then when a user arrives with a personal device, instead of them having to explicitly select a device, I use AD group memebership to populate the shared group with the correct value so that all they havd to do is select it from a list.

     

    For personal devices where a student registers all their own stuff and then allows another user to access one of them fair enough, but can;t help feeling that there should be something better for the enterprise solution

     

    A