Security

Reply
Super Contributor I

Small problem with Airgroups authorization service

Hi,

I'm looking at  rolling out an airgroup service over our wireless lan. so far I've got 3 controllers running 6.4.3.7 and a couple of AP225's in our building.

Two SSIDs provide client connectivity

alexs-airgroup for WPA2-enterprise devices

alexs-airgroup-psk for WPA2-PSK devices ( with clearpas mac-auth )

 

Got the airgroup side of things working and I can now chromecast/stream to Apple TVs connected using EAP-TLS ( Apple TVs)  from iPhoe, iPAD and OS X ( screens sharing).

 

I'm now starting to look at the access rights side of things. At this point I'm ignoring the "end user registering their own devices" scenario and concentrating on the " lecture theatre apple TVs how do I restrict who can access it" scenario.

 

I'm currently planning on using  a local endpoint attribute to define what is to be inserted in an Radius:Aruba:Aruba-AirGroup-Shared-Group attribute. That way I can match up personal devices with server devices. I've successfully got an authorization service to select the correct enforcement profile based upon an (Endpoint:UoY_Airgroup_Shared_Group EXISTS)  statement.

 

Problem I've got is when its a private device in that the above statement doesn'y work. Two authorization service conditions with identical conditions except one has the above endpoint statement .... and the device falls through to the catchall one.

 

I then tried setting up a unique Role (see below - ignore spelling mistake) based upon whether my local attribute is in the endpoint entry and selecting a profile based upon the role existing. Again, this didn't work ( see below). Lomng term I want to be able to pull the shared group assigned to a personal device from AD ( pased upon user auth) and define server devices from endpoint contents

Rgds

Alex

 

Airgroup-Not-Working.png

 

Guru Elite

Re: Small problem with Airgroups authorization service

AlexSuoy,

 

If you are looking to restrict or allow airgroup access to devices, that is not how you should be doing it.  On the ClearPass guest side, you need to go to Guest> Manage Devices.  Find the mac address of your device, and then if you want specific users to see that device, add their usernames to "shared with".  If you want this device to only be seen when a user is on or around a specific access point, add that access point to "shared location".

shared.PNG

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: Small problem with Airgroups authorization service

Hi,

 

Yup seen that, played with that and got it working that way. Want something a bit more transparent from the user's point of view and this was a step in that direction. The idea was to set up servers with specific airgroup-shared-group values, e.g. maths dept, building name, etc and then when a user arrives with a personal device, instead of them having to explicitly select a device, I use AD group memebership to populate the shared group with the correct value so that all they havd to do is select it from a list.

 

For personal devices where a student registers all their own stuff and then allows another user to access one of them fair enough, but can;t help feeling that there should be something better for the enterprise solution

 

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: