Security

Reply
Contributor I

Unpredictable Airgroup Behavior

We're in the process of configuring our infrastructure for Airgroup functionality and finding very inconsistent and unpredictable behavior when making changes. Our current testing has been exclusively with an Apple TV device and a device added in guest manager. When the device is set to "personal", multiple people are able to see and mirror to the device - that doesn't seem to be the appropriate behavior.

 

Changing to "shared" and sharing with various users does not produce consistent results. At certain instances the device is not viewable by anyone while at other times the device is viewable by everyone, including those not specifically listed in the shared users list.

 

I'm wondering if anyone has experienced this inconsistent behavior - I'm sure we're missing something either in policy or the controller, but I'm stumped!

Guru Elite

Re: Unpredictable Airgroup Behavior

What authentication method is in use on your internal SSID?

What controller code are you running?

Are you seeing AirGroup Authorization messages in ClearPass?

Are you seeing the sharing information in "show airgroup cppm entries"?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Unpredictable Airgroup Behavior

Hello Tim,

 

For media devices such as these we're using MAC authentication. I can see the device in Clearpass with the correct airgroup setting - sharing enabled, the list of users, etc. as well as the Airgroup Authorization messages. If I force a Radius CoA on the device the information is correctly reflected in Access Tracker. Controllers are running 6.4.4.9.

Guru Elite

Re: Unpredictable Airgroup Behavior

The network where your users are, what authentication method is in use?

Are you seeing the sharing information in "show airgroup cppm entries"?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Unpredictable Airgroup Behavior

MAC authentication as well as 802.1x EAP-TLS and EAP-PEAP.

 

Yes - I can see the device running that command on the controller.

Frequent Contributor I

Re: Unpredictable Airgroup Behavior

One thing that helped our AppleTV's was limiting them to the local AP.

 

The setting is in Airgroup on the controller. Click a device then under 'associate with server' choose the AP name.

 

Not sure if that is a complete solution but it sure went a long way towards stabilizing AirPlay in my environment.

 

PS- If I had a choice I would never do AppleTV in an enterprise network. They are made for home enviroments and they do not play nicely on complex networks.

 

 

 

 

 

 

Frequent Contributor I

Re: Unpredictable Airgroup Behavior

Also, in old code we had issues with the mDNS process crashing on the controller. ATV uses mDNS for discovery. Seems to be stable in newer versions of code.  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: