Wireless Access

Reply
Highlighted
Occasional Contributor I

Airgroup question on Mobility controller ArubaOS 8

All,

 

I manage the Aruba iAP wireless for a small K-12 school campus.  Currently I have it setup with three sets of VC and VLAN.  One for each school (lower school, middle school, and upper school.)  This allows me to do a few things like: break up broadcast domains, limit each VC to a managable amount of APs, and each school has it's own VC so I can setup different policy based on the school needs.

Another benefit of having the schools on separate VLAN and VC is when using Airgroup. Only Airprint and Airplay devices for the respective school are visible.  For example, only upper school Airprint printers are available if you are in the upper school buildings.  If you are in the middle school, only middle school Apple TV are available, etc.

For this summer we are upgrading to a pair of redundant 7205 Mobility controllers for the whole campus.  I'm working with professional services to assist in the installation.  In our initial meeting they mentioned removing the different sets of VLANs would be recommended to improve roaming between the schools.  I understand that and I also understand I'll get better control using AP groups using the new controllers.

But I'm unclear and my question is with Airgroup.  Is it possible to limit Airplay/Airprint to an AP group?  Especially for the lower school kids.  If they are learning how to Airprint, we need limit the number of printers they view.  It's crucial they can only see printers available in the lower school, and not the entire organization.

Thanks.

Note:  Our SSIDs are WPA2 personal.

Occasional Contributor I

Re: Airgroup question on Mobility controller ArubaOS 8

Also, the Airprint printers are mostly HP and they are all WIRED with IP addresses.

Occasional Contributor I

Re: Airgroup question on Mobility controller ArubaOS 8

I think I just answered my own question.  If the printers are wired, the wireless controller won't have any control over wired devices.  Unless there is some mechanism to register devices in the controller or possibly use Clearpass.

Aruba Employee

Re: Airgroup question on Mobility controller ArubaOS 8


@OESTech wrote:

I think I just answered my own question.  If the printers are wired, the wireless controller won't have any control over wired devices.  Unless there is some mechanism to register devices in the controller or possibly use Clearpass.


You are on the right track. ClearPass provides the most flexibility. The controller provides some coarse grouping functionality.

 

This may help: https://www.arubanetworks.com/techdocs/ArubaOS_82_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Configuring_AirGroup_Profile.htm#Creating3


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Airgroup question on Mobility controller ArubaOS 8

Hi

On ArubaOS8 airgroup can be setup in different ways. Central or decentral. Without knowing the whole new setup I can image that the wired vlan (with the atv or printers) is different per school. This VLAN can be tagged on the uplink of the AP's for that school and the AP will only 'airgroup' those devices in that vlan. Also further control is possible with ClearPass.

I hope this helps
Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744
Occasional Contributor I

Re: Airgroup question on Mobility controller ArubaOS 8

So after talking to our professional services and doing some research, it looks like we'll stick with keeping the schools on separate VLAN.

 

- From what I can tell the Clearpass solution requires use of onboarding or the Guest module.  Our SSIDs are mostly WPA2 personal and don't even use Clearpass.

 

-Since the Airprint printers are wired, there is no solution in the wireless controlller.

 

So our network will look something like this:

Lower school building

Employee SSID = VLAN 10

Student SSID = VLAN 20

 

Middle school building

Employee SSID = VLAN 30

Student SSID = VLAN 40

 

Something like that to keep the broadcast domains separate.  Maybe roaming between building won't be ideal, but it keeps everything else simple.

Guru Elite

Re: Airgroup question on Mobility controller ArubaOS 8

With that being said, you can still do some things in AOS without ClearPass.  You can use autoassociate to associate a wired printer with an access point or group of access points.  That would allow you to say that users can only see that wired printer when a user is associated to that access point or neighboring access points:  https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/airgroup.htm?Highlight=autoassociate

https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/airgroupprofile.htm?Highlight=autoassociate

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: