Security

I'm working on a new CPPM setup for eduroam, and combining it with AirGroup. I setup eduroam according to the docs from Geant and it works well.  I setup AirGroup according to documentation, and it appears to work well at first, but then mostly stops working. (most iOS devices stop working, a MacOS devices stays working to AppleTV)

 

Since eduroam requires USERNAME@Domain.Edu usernames that get stripped off in the CPPM Service, I create my AirGroup devices (chromecast, AppleTV, etc.) shared to both USERNAME and  USERNAME@Domain.Edu.  But under investication, it appears that AirGroup doesn't honor the USERNAME@Domain.Edu.  In addition, when the iOS devices first connect, they are correctly listed with AirGroup usernames of USERNAME, but after some time or roaming amoung APs, they "reauthenticate" back and their AirGroup usernames become USERNAME@Domain.Edu and they can no longer detect or cast to the shared Airgroup devices.  The controller's user-table always lists them with usernames of USERNAME@Domain.Edu, it's only under "

show airgroup users" that I can see the username changing from USERNAME that works, to later USERNAME@Domain.Edu that doesn't.  I don't have the CPPM eduroam service caching roles and postures in the enforcmement.

 

thanks

mike

Please open a TAC case. That is not expected behavior.

I'm gonna bump this... since I'm wondering how people with eduroam are working with airgroup.

 

In my setup eduroam users are typically seen on the controller with <userid>@domain.name as their username.   I verified that just setting up a device with <userid>  I'm unable to discover it on eduroam.... or legacy ssid (just <userid> I can discover registered airgroup devices)

 

Tried listed <userid>@domain.name in airgroup registration.... but look like airgroup strips the domain... try using ''s or \ in front of @ in case parseing issue - no change...

 

So what are people doing.... do I need to change clearpass to strip @domain.name  when sending userid to controller?

 

so userid@domain1 is effectivly the same as userid@domain2?

could opt to strip domain only for local domain.... but then users can't share a device with external eduroam user?

 

maybe there's a third option I'm just not grapsing... or my clearpass ver is old: 6.6.0.81015 and this is mute issue in updated patch?...

 

AirGroup should not be stripping the realm. Where are you seeing that?

show airgroup policy

 

 

on the controller was showing just my username twice when I had 

<userid>,<userid>@domain.name entered in clearpass registration

 

Found out this is a bug on controller side - fixed in 6.5.2.0

 

there is a workaround, if I enter the username as <userid>@domain.name@domain.name  the controller picks up the username as desired.  and with show airgroup policy

I show up as <userid>@domain.name

 

 

So now-  for people with eduroam - do you just setup cppm to prepopulate the shared user field with <userid> and <userid>@domain.name?   I'm assuming I can customize the registration form to do this....

 

We are documenting to add both USER, USER@domain.edu@ to the sharing registration.   But we are moving towards a single SSID (eduroam) so eventually it will only be USER@domain.edu

You could clone the default AirGroup service and enforcement policies to dynamically append the second @ so you don’t have to modify all your device registrations.

Do you have a pointer to documentation or quick help on dynamically adding the @domain.edu@ to the policy.  I have the service/profile/policy duplicated and see the attribute:

 

Radius:Aruba    Aruba-AirGroup-Shared-User      =       %{GuestUser:airgroup_shared_user}

 

But i don't know the syntax the value is expecting.

 

thanks

mike

 

On second thought, this likely won’t work in your case since you likely have multiple users shared out for devices.

We recently upgraded to ArubaOS 6.5.2.1 and can confirm that Bug 154533 (listed in 6.5.2.0 release notes) seems to be resolved.  Users in CPPM can share devices to USER@domain.edu, but they show up in the controller (#show airgroup cppm entries) as just USER in the shared user-list.   But this does seem to work now, after the upgrade they all stopped working with the trailing '@', but once I editted the devices and remove the '@' leaving just USER@domain.edu, they all begain working.

It's patched in 6.5.2 and back ports are expected by June. (It's the ArubaOS on the controller

that's at fault, not CPPM)

 

I've been getting around it by sharing the device in CPPM as USERNAME@domain.edu@

 

The controllers strip off everything to the RHS of the right most '@' leaving USERNAME@domain.edu