Hi,
I'm looking at rolling out an airgroup service over our wireless lan. so far I've got 3 controllers running 6.4.3.7 and a couple of AP225's in our building.
Two SSIDs provide client connectivity
alexs-airgroup for WPA2-enterprise devices
alexs-airgroup-psk for WPA2-PSK devices ( with clearpas mac-auth )
Got the airgroup side of things working and I can now chromecast/stream to Apple TVs connected using EAP-TLS ( Apple TVs) from iPhoe, iPAD and OS X ( screens sharing).
I'm now starting to look at the access rights side of things. At this point I'm ignoring the "end user registering their own devices" scenario and concentrating on the " lecture theatre apple TVs how do I restrict who can access it" scenario.
I'm currently planning on using a local endpoint attribute to define what is to be inserted in an Radius:Aruba:Aruba-AirGroup-Shared-Group attribute. That way I can match up personal devices with server devices. I've successfully got an authorization service to select the correct enforcement profile based upon an (Endpoint:UoY_Airgroup_Shared_Group EXISTS) statement.
Problem I've got is when its a private device in that the above statement doesn'y work. Two authorization service conditions with identical conditions except one has the above endpoint statement .... and the device falls through to the catchall one.
I then tried setting up a unique Role (see below - ignore spelling mistake) based upon whether my local attribute is in the endpoint entry and selecting a profile based upon the role existing. Again, this didn't work ( see below). Lomng term I want to be able to pull the shared group assigned to a personal device from AD ( pased upon user auth) and define server devices from endpoint contents
Rgds
Alex